Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17/09/2022, 20:33
General
-
Target
file.exe
-
Size
291KB
-
MD5
cc4c23d08618b9e1e0fc5fb7612ecb72
-
SHA1
da58fa6dbb5c9d36aaa13dc133047375c6ce4ad5
-
SHA256
b0911a9dd3cfaeac8a09d2c1e39735d6fffda0ededce1cf0b4fa0334ded45f6b
-
SHA512
277455f28d5eaaded7b0a86daae5a8413b95a7fdfbac13bed8686f42b2dd3e69453e0a56d8ca342d09b73a022d6a7faade87302315a8d003046df80a1adb5741
-
SSDEEP
6144:k6z4LxAOH/SKTarMaDB0o+ZWLnigabwVf:k60NAOH/zTIKoVLi
Malware Config
Extracted
djvu
http://acacaca.org/lancer/get.php
-
extension
.aabn
-
offline_id
MyudhIExJux2oRQXw95TT1oAPu7mvqRMzxr1eet1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4Xcf4IX21n Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0565Jhyjd
Extracted
raccoon
7394a7fc5da9794209d8b0503ca4abf4
http://213.252.245.214
Signatures
-
Detected Djvu ransomware 10 IoCs
-
Detects Smokeloader packer 1 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\5498.exeC:\Users\Admin\AppData\Local\Temp\5498.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5498.exeC:\Users\Admin\AppData\Local\Temp\5498.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\56e2f769-a5b0-4d48-ae30-c5fa3ee94d93" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\5498.exe"C:\Users\Admin\AppData\Local\Temp\5498.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5498.exe"C:\Users\Admin\AppData\Local\Temp\5498.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\44389240-183e-47cc-bd46-ba229d0cfe9c\build2.exe"C:\Users\Admin\AppData\Local\44389240-183e-47cc-bd46-ba229d0cfe9c\build2.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\44389240-183e-47cc-bd46-ba229d0cfe9c\build3.exe"C:\Users\Admin\AppData\Local\44389240-183e-47cc-bd46-ba229d0cfe9c\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\562F.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\562F.dll2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\571B.exeC:\Users\Admin\AppData\Local\Temp\571B.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6F38.exeC:\Users\Admin\AppData\Local\Temp\6F38.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ea3ead1b160922fb25b1b9d766a56fa5
SHA19f61cb0a5a80fa5ba776f71fed4728d002d3aca1
SHA2564080213fba647d43c0ac02710ac7b631c23f8f791930016045cda9aeec1b6867
SHA512ec817bdc668bff4c266ca8b6a6c4068251926714262a95f9ac7f7565e2d66a26371589182d0ba1d03fa482d99430b865cb7eb24becf92b72e45f20b26a215c15
-
Filesize
1KB
MD5e9e482bf825221326b7c080ef52e5036
SHA167244c170dad567630298f89364a5e9626e2517a
SHA25660843d5086f10e833ca98696967f1a39ea04a2ffee6d87679b5803092b9cfa71
SHA512c7a5fd63c0faa2a5cd8be90c7dcf10d8dd564964dc4b8ab4fa1a7a188fa89094563f595c94f4ea133582cfbcf9cc90cb74bd273924b7fa5eadae868bced51440
-
Filesize
488B
MD5943d2fd269c183c8b12e0c51ff3b6d26
SHA1a816273d662f4d3673adb48bcd0be5bc7b4736d6
SHA256bc558431a7e299b3d8f6b306ba982917fca3dad0092788b11282d808b5573d94
SHA512865c05577a5aea9531212453ce20f232faab02e414fd156f4ec6d892fa9ee923de6916bbfc8d2dd7ac13422c664059290634b66f74b7084dc852c3d8edeb6ffc
-
Filesize
482B
MD57c0372f25292720bdba829a6eaf2c73c
SHA15e5ac542049461eca8f21c43ad84491486b2fcab
SHA25608673096721098db7133b9ad1fc91854d21ce6114aa9a418739507c3076add61
SHA512f538fddcf9b9b64e858187f2eebdf0a0ffa0c4600a3bb1875a249ab717790accf127111711a7baaca04a573df4c7c6817deb7033c9717fc9febe7ffc1a02972d
-
Filesize
376KB
MD58b01bb02b7aeb097ba96dc7628575ca0
SHA111046fb024f695b1dc7a3a0be9167cb4e85548c6
SHA2567abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a
SHA51264cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35
-
Filesize
376KB
MD58b01bb02b7aeb097ba96dc7628575ca0
SHA111046fb024f695b1dc7a3a0be9167cb4e85548c6
SHA2567abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a
SHA51264cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
810KB
MD5b3b3ce9a828b0618fce1d501772b7e21
SHA1383d07a269563517e61b9196fd6d67eaed570a0d
SHA256d0334afe19a3fa3d839d7f69caa52dc1ff5c8aeaa4b85f5bfb07987f9d502e70
SHA5129a0aa74eae28f1c87a6fec8510fc72e980e1aeb13c7752e271f9edde237cdd7e804b5a3a90cc3d87cf36cc2031707fa97a08dc17303e9f3143f6674f09a5c8bf
-
Filesize
810KB
MD5b3b3ce9a828b0618fce1d501772b7e21
SHA1383d07a269563517e61b9196fd6d67eaed570a0d
SHA256d0334afe19a3fa3d839d7f69caa52dc1ff5c8aeaa4b85f5bfb07987f9d502e70
SHA5129a0aa74eae28f1c87a6fec8510fc72e980e1aeb13c7752e271f9edde237cdd7e804b5a3a90cc3d87cf36cc2031707fa97a08dc17303e9f3143f6674f09a5c8bf
-
Filesize
810KB
MD5b3b3ce9a828b0618fce1d501772b7e21
SHA1383d07a269563517e61b9196fd6d67eaed570a0d
SHA256d0334afe19a3fa3d839d7f69caa52dc1ff5c8aeaa4b85f5bfb07987f9d502e70
SHA5129a0aa74eae28f1c87a6fec8510fc72e980e1aeb13c7752e271f9edde237cdd7e804b5a3a90cc3d87cf36cc2031707fa97a08dc17303e9f3143f6674f09a5c8bf
-
Filesize
810KB
MD5b3b3ce9a828b0618fce1d501772b7e21
SHA1383d07a269563517e61b9196fd6d67eaed570a0d
SHA256d0334afe19a3fa3d839d7f69caa52dc1ff5c8aeaa4b85f5bfb07987f9d502e70
SHA5129a0aa74eae28f1c87a6fec8510fc72e980e1aeb13c7752e271f9edde237cdd7e804b5a3a90cc3d87cf36cc2031707fa97a08dc17303e9f3143f6674f09a5c8bf
-
Filesize
810KB
MD5b3b3ce9a828b0618fce1d501772b7e21
SHA1383d07a269563517e61b9196fd6d67eaed570a0d
SHA256d0334afe19a3fa3d839d7f69caa52dc1ff5c8aeaa4b85f5bfb07987f9d502e70
SHA5129a0aa74eae28f1c87a6fec8510fc72e980e1aeb13c7752e271f9edde237cdd7e804b5a3a90cc3d87cf36cc2031707fa97a08dc17303e9f3143f6674f09a5c8bf
-
Filesize
810KB
MD5b3b3ce9a828b0618fce1d501772b7e21
SHA1383d07a269563517e61b9196fd6d67eaed570a0d
SHA256d0334afe19a3fa3d839d7f69caa52dc1ff5c8aeaa4b85f5bfb07987f9d502e70
SHA5129a0aa74eae28f1c87a6fec8510fc72e980e1aeb13c7752e271f9edde237cdd7e804b5a3a90cc3d87cf36cc2031707fa97a08dc17303e9f3143f6674f09a5c8bf
-
Filesize
1.5MB
MD5d6a47227f94329ef24299d3b44b07c76
SHA124238a7ce13d16bf8e7194f21609462e04cabdba
SHA256fd4d29413f205910926eef85398b17f51bb1af975b740ab1093376fb09df07e1
SHA512855a109d6f4316f9922dd6c8ba25199210f0f237af8500399ef969439c659e4ee1959dedbe2e743baa99e653fdefe101194a5d9e730495909d66a9047f50831f
-
Filesize
1.5MB
MD5d6a47227f94329ef24299d3b44b07c76
SHA124238a7ce13d16bf8e7194f21609462e04cabdba
SHA256fd4d29413f205910926eef85398b17f51bb1af975b740ab1093376fb09df07e1
SHA512855a109d6f4316f9922dd6c8ba25199210f0f237af8500399ef969439c659e4ee1959dedbe2e743baa99e653fdefe101194a5d9e730495909d66a9047f50831f
-
Filesize
1.5MB
MD5d6a47227f94329ef24299d3b44b07c76
SHA124238a7ce13d16bf8e7194f21609462e04cabdba
SHA256fd4d29413f205910926eef85398b17f51bb1af975b740ab1093376fb09df07e1
SHA512855a109d6f4316f9922dd6c8ba25199210f0f237af8500399ef969439c659e4ee1959dedbe2e743baa99e653fdefe101194a5d9e730495909d66a9047f50831f
-
Filesize
388KB
MD52c9ba61967ebae81290477ae4e17a428
SHA16abc911f746e90e5cc56d526df8d3e71076156f7
SHA2563dd85136dc7ace7d4c7f38f91bacc3489c65ebfb20d945eb9f1702343f8e4eec
SHA512efd11abf6266ce1c487d6ce1ac6c1762223103975e822091faac42c8e860b89c9125985429b8ed96122be919e51888b35bbaff031a27a57ae9312bb3c386cb4b
-
Filesize
388KB
MD52c9ba61967ebae81290477ae4e17a428
SHA16abc911f746e90e5cc56d526df8d3e71076156f7
SHA2563dd85136dc7ace7d4c7f38f91bacc3489c65ebfb20d945eb9f1702343f8e4eec
SHA512efd11abf6266ce1c487d6ce1ac6c1762223103975e822091faac42c8e860b89c9125985429b8ed96122be919e51888b35bbaff031a27a57ae9312bb3c386cb4b
-
Filesize
4.8MB
MD5428da7a5f75ea1f5806f3c120e5d0800
SHA16494c05df07f73668f8245aaaa6606e58848ab02
SHA256782c7ce28b3d6430b99b22c93f01dc33221e570871cc6b51f298fbcc6855036a
SHA512100814a91dcc4aeaa59840797869b4fd194f7ea5def2480a853aa217261a128ba99b9f632fce7108345f83d08154249e99f400e1616f3886ddb527e5ffbe6d7c
-
Filesize
4.8MB
MD5428da7a5f75ea1f5806f3c120e5d0800
SHA16494c05df07f73668f8245aaaa6606e58848ab02
SHA256782c7ce28b3d6430b99b22c93f01dc33221e570871cc6b51f298fbcc6855036a
SHA512100814a91dcc4aeaa59840797869b4fd194f7ea5def2480a853aa217261a128ba99b9f632fce7108345f83d08154249e99f400e1616f3886ddb527e5ffbe6d7c
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
468KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
764KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
80KB
-
Filesize
312KB
-
Filesize
68KB
-
Filesize
312KB
-
Filesize
36KB