Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
08-02-2023 08:08
General
-
Target
f2c5b17ddc3745a92d3913cd69b2e0cc88aaf57716fe22ce49f3331a2beebdc6.exe
-
Size
314KB
-
MD5
d0da8b99593537e0f528cdbb9349de35
-
SHA1
86df8cbd120d5f1e953c6e2f623a397d37a28b33
-
SHA256
f2c5b17ddc3745a92d3913cd69b2e0cc88aaf57716fe22ce49f3331a2beebdc6
-
SHA512
ab3aa1444e5eca183793a255fc59d6bca83f938461f22240a5ef37d89167a22555fc32e1f2a73093b66b48c6f37f51392736dce93ba91d3602262255a64df161
-
SSDEEP
3072:YwtqJCK5wXR5o9gWBETrM0hLEeqNL9gYzr4+qyTWByUAl1sJsBWu:Y0qTUo9gWcwocBgwLTWUjPIu
Malware Config
Extracted
gozi
Extracted
gozi
1001
https://checklist.skype.com
http://176.10.125.84
http://91.242.219.235
http://79.132.130.73
http://176.10.119.209
http://194.76.225.88
http://79.132.134.158
-
base_path
/microsoft/
-
build
260255
-
exe_type
loader
-
extension
.acx
-
server_id
50
Extracted
djvu
http://bihsy.com/lancer/get.php
-
extension
.erop
-
offline_id
xVB7l5LcUtDGyghMgGsTvebrKc0RGgDXlN1BoKt1
-
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8pCGyFnOj6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0641JOsie
Extracted
laplas
http://45.159.189.105
-
api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd
Signatures
-
Detected Djvu ransomware 10 IoCs
-
Detects Smokeloader packer 1 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c5b17ddc3745a92d3913cd69b2e0cc88aaf57716fe22ce49f3331a2beebdc6.exe"C:\Users\Admin\AppData\Local\Temp\f2c5b17ddc3745a92d3913cd69b2e0cc88aaf57716fe22ce49f3331a2beebdc6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C691.exeC:\Users\Admin\AppData\Local\Temp\C691.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 10322⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C79B.exeC:\Users\Admin\AppData\Local\Temp\C79B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C79B.exeC:\Users\Admin\AppData\Local\Temp\C79B.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\723f008c-5721-438d-bc8d-f09a80dbd7a7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\C79B.exe"C:\Users\Admin\AppData\Local\Temp\C79B.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C79B.exe"C:\Users\Admin\AppData\Local\Temp\C79B.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\8537e92c-901d-4148-8386-ee699fd94fe0\build3.exe"C:\Users\Admin\AppData\Local\8537e92c-901d-4148-8386-ee699fd94fe0\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C887.exeC:\Users\Admin\AppData\Local\Temp\C887.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 212 -ip 2121⤵
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\ttfhibhC:\Users\Admin\AppData\Roaming\ttfhibh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50a0b229200e844dd99e5bd4a96157dc9
SHA1f0d9dd308e562849fba66546c08cb6868613df4d
SHA25601bc83810123b2cf28d2a027a4201f93537daeda3f40c4ef7d83c0bd44baedda
SHA512af4d0a4566bec38a8f1e97ee2a4daf81f1b4ef2a2893dbd09fb4b147f6c86bf37ab24959a7f5550e7c477187c825182e737d04bc6c56647e76a6c027529dac61
-
Filesize
1KB
MD595699a1d2d3132a4067cecdcbc504fca
SHA10491453351e9eedac59152594e9b5ff0f091b54e
SHA256ec6eb0fbc54c26ddbc5e7a8227b657fa20e0b9d565994001273ba32ccd0c53f4
SHA51293ea4adfa46089cd37bb40077f0c4db111f4a16ae3d312b5d35450462b6228b7cae0e57c2888386041749df2014997cec3e590e436161825a6d42e44f6f694f0
-
Filesize
488B
MD5d4b16183a57d2c3e7aff4f48a9f14f51
SHA196ec5763773ff7de0ad201127b9936dfc8aa2855
SHA25683559b4fb5817e12d489af0ecefcbd66b6b55671ade2e0bd7e604cfdb2bf337c
SHA512a955baa9eb8de7697dbdb6a8891460419c420b15ce8b31da17f3fbf86286f298893b3960248806954f8135df01ca0481086fd52ef8f03286d44c35c1329aef46
-
Filesize
482B
MD5cf0267d125d1ecffef95da9cf28a1a25
SHA1555b34f04f518db1a1c90235182f6c2768b8d8e3
SHA256fed358a367d0018c6c6666e66c96e3168860f4f03d73f5a7058d1ff8d7658d57
SHA5124cdb85d88fb79b3add5350958c3a3c8b9a181f4af569257ad79d5440975c36da04d0f24545fe422e46979e2d850f6ebb2709eba9557b171b8efd9a6744dace1c
-
Filesize
706KB
MD546909da148de57b2d85591626aedbd76
SHA18000c3d7b0b33eaa538f8b0e09eff0559af06287
SHA2560ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692
SHA512c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
378KB
MD5b141bc58618c537917cc1da179cbe8ab
SHA1c76d3f5eeae9493e41a272a974b5dfec5f4e4724
SHA256fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e
SHA5125c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114
-
Filesize
378KB
MD5b141bc58618c537917cc1da179cbe8ab
SHA1c76d3f5eeae9493e41a272a974b5dfec5f4e4724
SHA256fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e
SHA5125c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114
-
Filesize
706KB
MD546909da148de57b2d85591626aedbd76
SHA18000c3d7b0b33eaa538f8b0e09eff0559af06287
SHA2560ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692
SHA512c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603
-
Filesize
706KB
MD546909da148de57b2d85591626aedbd76
SHA18000c3d7b0b33eaa538f8b0e09eff0559af06287
SHA2560ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692
SHA512c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603
-
Filesize
706KB
MD546909da148de57b2d85591626aedbd76
SHA18000c3d7b0b33eaa538f8b0e09eff0559af06287
SHA2560ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692
SHA512c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603
-
Filesize
706KB
MD546909da148de57b2d85591626aedbd76
SHA18000c3d7b0b33eaa538f8b0e09eff0559af06287
SHA2560ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692
SHA512c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603
-
Filesize
706KB
MD546909da148de57b2d85591626aedbd76
SHA18000c3d7b0b33eaa538f8b0e09eff0559af06287
SHA2560ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692
SHA512c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603
-
Filesize
172KB
MD5185596291815d84f3894dbeef5ea54e7
SHA16ff9c5982d02187a4e9961a98ab490ba479ed8e2
SHA2563d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11
SHA51299f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5
-
Filesize
172KB
MD5185596291815d84f3894dbeef5ea54e7
SHA16ff9c5982d02187a4e9961a98ab490ba479ed8e2
SHA2563d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11
SHA51299f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
742.4MB
MD560acd059bd2eed319b43ca17dc42b5f1
SHA120a9bc00e833c052c5c76207c7fa04753c9937b7
SHA25633cdc8b2b0a810c4959c4d390435e9d8b941ccd28234d84093b7e9b97dddb8e6
SHA512a0193ab51025caf904a077155de40a9f582fd1758e7fac3d8d7d7f869bbd085a0098150323bf4219992314c9e63e918cf294263e62e96b4876cb3ca3c9824577
-
Filesize
742.4MB
MD560acd059bd2eed319b43ca17dc42b5f1
SHA120a9bc00e833c052c5c76207c7fa04753c9937b7
SHA25633cdc8b2b0a810c4959c4d390435e9d8b941ccd28234d84093b7e9b97dddb8e6
SHA512a0193ab51025caf904a077155de40a9f582fd1758e7fac3d8d7d7f869bbd085a0098150323bf4219992314c9e63e918cf294263e62e96b4876cb3ca3c9824577
-
Filesize
314KB
MD5d0da8b99593537e0f528cdbb9349de35
SHA186df8cbd120d5f1e953c6e2f623a397d37a28b33
SHA256f2c5b17ddc3745a92d3913cd69b2e0cc88aaf57716fe22ce49f3331a2beebdc6
SHA512ab3aa1444e5eca183793a255fc59d6bca83f938461f22240a5ef37d89167a22555fc32e1f2a73093b66b48c6f37f51392736dce93ba91d3602262255a64df161
-
Filesize
314KB
MD5d0da8b99593537e0f528cdbb9349de35
SHA186df8cbd120d5f1e953c6e2f623a397d37a28b33
SHA256f2c5b17ddc3745a92d3913cd69b2e0cc88aaf57716fe22ce49f3331a2beebdc6
SHA512ab3aa1444e5eca183793a255fc59d6bca83f938461f22240a5ef37d89167a22555fc32e1f2a73093b66b48c6f37f51392736dce93ba91d3602262255a64df161
-
Filesize
488KB
-
Filesize
284KB
-
Filesize
168KB
-
-
Filesize
168KB
-
Filesize
488KB
-
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
488KB
-
-
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
-
Filesize
56KB
-
-
Filesize
52KB
-
Filesize
68KB
-
Filesize
56KB
-
-
-
Filesize
580KB
-
Filesize
808KB
-
Filesize
36KB
-
Filesize
808KB
-
Filesize
84KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
84KB