djvu | 026a1310c5a9480f15f0a936acabffef385ad24dc71ab943fc6eaa65b8732ec6

Analysis

max time kernel
35s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2023 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0cd61f7b033dbcb73285ce232d4d694.exe
Size

329KB
MD5

b0cd61f7b033dbcb73285ce232d4d694
SHA1

ecbed113ac446902e763e7826e3d3089532c2257
SHA256

026a1310c5a9480f15f0a936acabffef385ad24dc71ab943fc6eaa65b8732ec6
SHA512

ff2ee0ee66d8a89a21b2274a62ef141e88c29dbe24c39be795bba51572f06f7b79bcdd28840eff260264ca876086df3b844dce1e224b7b934c5b6dba5615a482
SSDEEP

6144:UnKOE0/3/Xnu4426YCbHWqiafWbyDqCFPsUY6:Unr/3/Xrqia9OCfY

Score

10^/10

djvu icedid smokeloader 3131022508 backdoor banker loader ransomware spyware stealer trojan

Malware Config

Extracted

Family

icedid

Campaign

3131022508

wagringamuk.com

Extracted

Family

djvu

http://spaceris.com/lancer/get.php

Attributes

extension
.zouu
offline_id
7hl6KB3alcoZ6n4DhS2rApCezkIMzShntAiXWMt1
payload_url
http://uaery.top/dl/build2.exe

http://spaceris.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3pXlaPXFm Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0631JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/912-170-0x00000000023A0000-0x00000000024BB000-memory.dmp	family_djvu
behavioral2/memory/2500-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2500-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2500-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2500-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/360-133-0x0000000002190000-0x0000000002199000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

D5F2.exeD6FD.exeD95F.exeDA89.exeDCCC.exeE151.exeE2AA.exe

pid process

384 D5F2.exe
912 D6FD.exe
4392 D95F.exe
3032 DA89.exe
4224 DCCC.exe
4844 E151.exe
3576 E2AA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.2ip.ua
28 api.2ip.ua

pid	process
384	D5F2.exe
912	D6FD.exe
4392	D95F.exe
3032	DA89.exe
4224	DCCC.exe
4844	E151.exe
3576	E2AA.exe

flow	ioc
27	api.2ip.ua
28	api.2ip.ua

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b0cd61f7b033dbcb73285ce232d4d694.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b0cd61f7b033dbcb73285ce232d4d694.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b0cd61f7b033dbcb73285ce232d4d694.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b0cd61f7b033dbcb73285ce232d4d694.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b0cd61f7b033dbcb73285ce232d4d694.exe

pid	process
360	b0cd61f7b033dbcb73285ce232d4d694.exe
360	b0cd61f7b033dbcb73285ce232d4d694.exe
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012
1012

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b0cd61f7b033dbcb73285ce232d4d694.exe

pid process

360 b0cd61f7b033dbcb73285ce232d4d694.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012
Token: SeShutdownPrivilege	1012
Token: SeCreatePagefilePrivilege	1012

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

DCCC.exeD6FD.exe

description	pid	process	target process
PID 1012 wrote to memory of 384	1012		D5F2.exe
PID 1012 wrote to memory of 384	1012		D5F2.exe
PID 1012 wrote to memory of 912	1012		D6FD.exe
PID 1012 wrote to memory of 912	1012		D6FD.exe
PID 1012 wrote to memory of 912	1012		D6FD.exe
PID 1012 wrote to memory of 4392	1012		D95F.exe
PID 1012 wrote to memory of 4392	1012		D95F.exe
PID 1012 wrote to memory of 4392	1012		D95F.exe
PID 1012 wrote to memory of 3032	1012		DA89.exe
PID 1012 wrote to memory of 3032	1012		DA89.exe
PID 1012 wrote to memory of 3032	1012		DA89.exe
PID 1012 wrote to memory of 4224	1012		DCCC.exe
PID 1012 wrote to memory of 4224	1012		DCCC.exe
PID 1012 wrote to memory of 4224	1012		DCCC.exe
PID 1012 wrote to memory of 4844	1012		E151.exe
PID 1012 wrote to memory of 4844	1012		E151.exe
PID 1012 wrote to memory of 4844	1012		E151.exe
PID 1012 wrote to memory of 3576	1012		E2AA.exe
PID 1012 wrote to memory of 3576	1012		E2AA.exe
PID 1012 wrote to memory of 3576	1012		E2AA.exe
PID 4224 wrote to memory of 3496	4224	DCCC.exe	cmd.exe
PID 4224 wrote to memory of 3496	4224	DCCC.exe	cmd.exe
PID 4224 wrote to memory of 3496	4224	DCCC.exe	cmd.exe
PID 912 wrote to memory of 2500	912	D6FD.exe	D6FD.exe
PID 912 wrote to memory of 2500	912	D6FD.exe	D6FD.exe
PID 912 wrote to memory of 2500	912	D6FD.exe	D6FD.exe

C:\Users\Admin\AppData\Local\Temp\b0cd61f7b033dbcb73285ce232d4d694.exe
"C:\Users\Admin\AppData\Local\Temp\b0cd61f7b033dbcb73285ce232d4d694.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:360

C:\Users\Admin\AppData\Local\Temp\D5F2.exe
C:\Users\Admin\AppData\Local\Temp\D5F2.exe
1⤵
- Executes dropped EXE
PID:384

C:\Users\Admin\AppData\Local\Temp\D6FD.exe
C:\Users\Admin\AppData\Local\Temp\D6FD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\D6FD.exe
C:\Users\Admin\AppData\Local\Temp\D6FD.exe
2⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\D95F.exe
C:\Users\Admin\AppData\Local\Temp\D95F.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\DA89.exe
C:\Users\Admin\AppData\Local\Temp\DA89.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\DCCC.exe
C:\Users\Admin\AppData\Local\Temp\DCCC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
2⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\E151.exe
C:\Users\Admin\AppData\Local\Temp\E151.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Users\Admin\AppData\Local\Temp\E2AA.exe
C:\Users\Admin\AppData\Local\Temp\E2AA.exe
1⤵
- Executes dropped EXE
PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D5F2.exe
Filesize
747KB

MD5
02ff76dbe2bb9fc49ddea931896601d3

SHA1
037f7708d988957d49243b2e93df0878e22e0030

SHA256
30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0

SHA512
79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F2.exe
Filesize
747KB

MD5
02ff76dbe2bb9fc49ddea931896601d3

SHA1
037f7708d988957d49243b2e93df0878e22e0030

SHA256
30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0

SHA512
79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6FD.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6FD.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6FD.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D95F.exe
Filesize
328KB

MD5
b54b0f4790d10dfcfea72788016469c1

SHA1
406fcd215fdf2f3e99be8d77f7b8ff5c07148ab2

SHA256
4e8d1299079387e4287d76ef6d2d3dcd00b1b01c411c7c47bed3a846b00dc41c

SHA512
fac6a7c6731e8d8b721b6a7c4b636e5c459c578cbfe1edd753978394d985f928eeeac9fd83f2ef639c53c83c7c25fc806fb3492ca0aa97f11678666ad22fa5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D95F.exe
Filesize
328KB

MD5
b54b0f4790d10dfcfea72788016469c1

SHA1
406fcd215fdf2f3e99be8d77f7b8ff5c07148ab2

SHA256
4e8d1299079387e4287d76ef6d2d3dcd00b1b01c411c7c47bed3a846b00dc41c

SHA512
fac6a7c6731e8d8b721b6a7c4b636e5c459c578cbfe1edd753978394d985f928eeeac9fd83f2ef639c53c83c7c25fc806fb3492ca0aa97f11678666ad22fa5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA89.exe
Filesize
327KB

MD5
1d04438d49e15bad354bc606852e43dd

SHA1
febdfc26cf1a443bd22ab4b0745ce21fece43556

SHA256
1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77

SHA512
4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA89.exe
Filesize
327KB

MD5
1d04438d49e15bad354bc606852e43dd

SHA1
febdfc26cf1a443bd22ab4b0745ce21fece43556

SHA256
1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77

SHA512
4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCC.exe
Filesize
2.5MB

MD5
ad4cf6b10fc5163e5fbcd3ef6a344e83

SHA1
604fae0977c72371722c15ef49f753a6cc0b335a

SHA256
e8daa12a3cac1c5756ceb69af1f7873f874437304afe91330fc49bb1cd09403b

SHA512
8a7bc5d2c10466dda74979cc869fea9d10b3526f3ae42d8fa26938ff9339ade8527a6d610e738605fd12ce151c7e69f3220bd01881003f961e313a63d959cc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\E151.exe
Filesize
4.5MB

MD5
1a450a1a716cdb1bc3bd0b7467c2f157

SHA1
195d2f7052897360b07cf68a9f05794fcb41d88e

SHA256
88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b

SHA512
de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\E151.exe
Filesize
4.5MB

MD5
1a450a1a716cdb1bc3bd0b7467c2f157

SHA1
195d2f7052897360b07cf68a9f05794fcb41d88e

SHA256
88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b

SHA512
de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2AA.exe
Filesize
329KB

MD5
b44e0936354559a7de62539fc1c3b73d

SHA1
d90625e38e72fa3e479cee8699462cf3358dba46

SHA256
aec64e84eda7d685c49a0df6452e238d4ff47d9413d0a55b5060fffe9c8ab903

SHA512
2209956b7975dbaa1325dc303486299f7e22088d787b84dcaf5c8b8f10cb19cb45760267ea3b7a5923acdd0343cfa10aea59df78f1d3a051ec6d8cb6b24ee1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2AA.exe
Filesize
329KB

MD5
b44e0936354559a7de62539fc1c3b73d

SHA1
d90625e38e72fa3e479cee8699462cf3358dba46

SHA256
aec64e84eda7d685c49a0df6452e238d4ff47d9413d0a55b5060fffe9c8ab903

SHA512
2209956b7975dbaa1325dc303486299f7e22088d787b84dcaf5c8b8f10cb19cb45760267ea3b7a5923acdd0343cfa10aea59df78f1d3a051ec6d8cb6b24ee1ab

Download Submit
C:\Users\Admin\AppData\Roaming\bebra.exe
Filesize
5B

MD5
8b1a9953c4611296a827abf8c47804d7

SHA1
f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0

SHA256
185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

SHA512
3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315

Download Submit
memory/360-133-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/360-132-0x00000000004BE000-0x00000000004D4000-memory.dmp

Filesize
88KB

Download
memory/360-134-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/360-135-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/384-136-0x0000000000000000-mapping.dmp

Download
memory/384-148-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/384-139-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/912-169-0x00000000021A9000-0x000000000223A000-memory.dmp

Filesize
580KB

Download
memory/912-170-0x00000000023A0000-0x00000000024BB000-memory.dmp

Filesize
1.1MB

Download
memory/912-145-0x0000000000000000-mapping.dmp

Download
memory/2500-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2500-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2500-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2500-165-0x0000000000000000-mapping.dmp

Download
memory/2500-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3032-152-0x0000000000000000-mapping.dmp

Download
memory/3496-163-0x0000000000000000-mapping.dmp

Download
memory/3576-159-0x0000000000000000-mapping.dmp

Download
memory/4224-155-0x0000000000000000-mapping.dmp

Download
memory/4392-149-0x0000000000000000-mapping.dmp

Download
memory/4844-157-0x0000000000000000-mapping.dmp

Download