Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2023, 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    194KB

  • MD5

    5c1ad6a3aff20fe0cf5668dc7b755e1b

  • SHA1

    af9d60cc3c736d1bce2272d1f43eb861997b959d

  • SHA256

    b5708271f0a223643e9786d73493fcb1566a08cb5a3886d4e34849505920b0a5

  • SHA512

    0873cb932eafc2a68b1307fd0e18c42c73813655afddb3af20dda267032cebf2ea2fce7a77da136a3f94dddab83dbac76976bd9d5c22bb4c5f1f9b9a77265993

  • SSDEEP

    3072:lUKn4T4MRNH85cJiRLMedUh0CTx483pCHWqjt0UTesHDnYC2:lBnSLNHkcJi6eKBx4CpC2yTeOL2

Score
10/10
djvusmokeloaderbackdoorpersistenceransomwaretrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes
  • extension

    .goaq

  • offline_id

    zMrgM3QgNJsLARd9vs9a31qnKMjRqxjLT6s9OQt1

  • payload_url

    http://uaery.top/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rayImYlyWe Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0656Usjf

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 4 IoCs
  • Detects Smokeloader packer 1 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2108
  • C:\Users\Admin\AppData\Local\Temp\E77.exe
    C:\Users\Admin\AppData\Local\Temp\E77.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Adds Run key to start application
    PID:3532
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
        PID:3108
    • C:\Users\Admin\AppData\Local\Temp\275F.exe
      C:\Users\Admin\AppData\Local\Temp\275F.exe
      1⤵
      • Executes dropped EXE
      PID:2820
      • C:\Users\Admin\AppData\Local\Temp\275F.exe
        C:\Users\Admin\AppData\Local\Temp\275F.exe
        2⤵
          PID:1352
      • C:\Users\Admin\AppData\Local\Temp\2A3E.exe
        C:\Users\Admin\AppData\Local\Temp\2A3E.exe
        1⤵
          PID:3624
          • C:\Users\Admin\AppData\Local\Temp\2210.exe
            "C:\Users\Admin\AppData\Local\Temp\2210.exe"
            2⤵
              PID:4596
            • C:\Users\Admin\AppData\Local\Temp\cc.exe
              "C:\Users\Admin\AppData\Local\Temp\cc.exe"
              2⤵
                PID:4144
                • C:\Users\Admin\AppData\Local\Temp\cc.exe
                  "C:\Users\Admin\AppData\Local\Temp\cc.exe" -h
                  3⤵
                    PID:1004
              • C:\Users\Admin\AppData\Local\Temp\2BF5.exe
                C:\Users\Admin\AppData\Local\Temp\2BF5.exe
                1⤵
                  PID:4084
                • C:\Users\Admin\AppData\Local\Temp\2D5D.exe
                  C:\Users\Admin\AppData\Local\Temp\2D5D.exe
                  1⤵
                    PID:4932

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\2210.exe
                    Filesize

                    322KB

                    MD5

                    5fa44e4b9bdf4a59bda99667973788cc

                    SHA1

                    b62c758da770a08c0ebcea72b09d1796efabc9ef

                    SHA256

                    b1f2f8b43d3a780a18c9c1c136e30b40f66223a4582f504dce2650ee4643d4e4

                    SHA512

                    9127e6cabe14f0443a9d3b72a811c08ca4b9fc98290249f998ee33824118275c22f30e4cbbe5b04fe4a694d5c7bd504ccef27071e13c2b2dd89ca4774f75b9e1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2210.exe
                    Filesize

                    322KB

                    MD5

                    5fa44e4b9bdf4a59bda99667973788cc

                    SHA1

                    b62c758da770a08c0ebcea72b09d1796efabc9ef

                    SHA256

                    b1f2f8b43d3a780a18c9c1c136e30b40f66223a4582f504dce2650ee4643d4e4

                    SHA512

                    9127e6cabe14f0443a9d3b72a811c08ca4b9fc98290249f998ee33824118275c22f30e4cbbe5b04fe4a694d5c7bd504ccef27071e13c2b2dd89ca4774f75b9e1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2210.exe
                    Filesize

                    322KB

                    MD5

                    5fa44e4b9bdf4a59bda99667973788cc

                    SHA1

                    b62c758da770a08c0ebcea72b09d1796efabc9ef

                    SHA256

                    b1f2f8b43d3a780a18c9c1c136e30b40f66223a4582f504dce2650ee4643d4e4

                    SHA512

                    9127e6cabe14f0443a9d3b72a811c08ca4b9fc98290249f998ee33824118275c22f30e4cbbe5b04fe4a694d5c7bd504ccef27071e13c2b2dd89ca4774f75b9e1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\275F.exe
                    Filesize

                    702KB

                    MD5

                    dd9abe929205856ec2ed9079031a734f

                    SHA1

                    e5a167ef79f3d17d9e8350648c6ef828d2f6ff90

                    SHA256

                    5bd7b311854133644f6d2e46e4ae15ed95a75386d39b0478b02333dad6027f72

                    SHA512

                    5e6e95cb8467d0db43ba6e8803d443c78ed5149316488a0c19c8bbaa67c58b30ea38d9ee8c21677c87cb4038f3340b53e5d4cd26fc78c8a81f20292f05ae6c69

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\275F.exe
                    Filesize

                    702KB

                    MD5

                    dd9abe929205856ec2ed9079031a734f

                    SHA1

                    e5a167ef79f3d17d9e8350648c6ef828d2f6ff90

                    SHA256

                    5bd7b311854133644f6d2e46e4ae15ed95a75386d39b0478b02333dad6027f72

                    SHA512

                    5e6e95cb8467d0db43ba6e8803d443c78ed5149316488a0c19c8bbaa67c58b30ea38d9ee8c21677c87cb4038f3340b53e5d4cd26fc78c8a81f20292f05ae6c69

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\275F.exe
                    Filesize

                    702KB

                    MD5

                    dd9abe929205856ec2ed9079031a734f

                    SHA1

                    e5a167ef79f3d17d9e8350648c6ef828d2f6ff90

                    SHA256

                    5bd7b311854133644f6d2e46e4ae15ed95a75386d39b0478b02333dad6027f72

                    SHA512

                    5e6e95cb8467d0db43ba6e8803d443c78ed5149316488a0c19c8bbaa67c58b30ea38d9ee8c21677c87cb4038f3340b53e5d4cd26fc78c8a81f20292f05ae6c69

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2A3E.exe
                    Filesize

                    644KB

                    MD5

                    a00c734d7a5312cdf8ed6c75ef68941b

                    SHA1

                    28bf3699687c087f6e79e83bb3a661ab77a22f63

                    SHA256

                    6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c

                    SHA512

                    95b47173d13c9eea61dd467b2b14faf7b02e34f6158410119d996f307d792bd609508e770cdc163452955db17d55f58c2aabe3bf8c082b4862c15a223450a29b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2A3E.exe
                    Filesize

                    644KB

                    MD5

                    a00c734d7a5312cdf8ed6c75ef68941b

                    SHA1

                    28bf3699687c087f6e79e83bb3a661ab77a22f63

                    SHA256

                    6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c

                    SHA512

                    95b47173d13c9eea61dd467b2b14faf7b02e34f6158410119d996f307d792bd609508e770cdc163452955db17d55f58c2aabe3bf8c082b4862c15a223450a29b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2BF5.exe
                    Filesize

                    900KB

                    MD5

                    bb6d5035af210efdd03771c020894c78

                    SHA1

                    eb07854861a37e80483b43cbcabb8867806e5e06

                    SHA256

                    0794af6bbc668a5d995c34e55f41d5b40e877afa20205417f5d72690d7065b39

                    SHA512

                    b666c1e66770ea49a411fab4ab169e55972ec619a1e2048945996d580e2749c66eb4f8891864eccb777a2c37e39f36cd8d6a75f222519386be11ff0f3b2c245e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2BF5.exe
                    Filesize

                    900KB

                    MD5

                    bb6d5035af210efdd03771c020894c78

                    SHA1

                    eb07854861a37e80483b43cbcabb8867806e5e06

                    SHA256

                    0794af6bbc668a5d995c34e55f41d5b40e877afa20205417f5d72690d7065b39

                    SHA512

                    b666c1e66770ea49a411fab4ab169e55972ec619a1e2048945996d580e2749c66eb4f8891864eccb777a2c37e39f36cd8d6a75f222519386be11ff0f3b2c245e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2D5D.exe
                    Filesize

                    900KB

                    MD5

                    bb6d5035af210efdd03771c020894c78

                    SHA1

                    eb07854861a37e80483b43cbcabb8867806e5e06

                    SHA256

                    0794af6bbc668a5d995c34e55f41d5b40e877afa20205417f5d72690d7065b39

                    SHA512

                    b666c1e66770ea49a411fab4ab169e55972ec619a1e2048945996d580e2749c66eb4f8891864eccb777a2c37e39f36cd8d6a75f222519386be11ff0f3b2c245e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2D5D.exe
                    Filesize

                    900KB

                    MD5

                    bb6d5035af210efdd03771c020894c78

                    SHA1

                    eb07854861a37e80483b43cbcabb8867806e5e06

                    SHA256

                    0794af6bbc668a5d995c34e55f41d5b40e877afa20205417f5d72690d7065b39

                    SHA512

                    b666c1e66770ea49a411fab4ab169e55972ec619a1e2048945996d580e2749c66eb4f8891864eccb777a2c37e39f36cd8d6a75f222519386be11ff0f3b2c245e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\E77.exe
                    Filesize

                    262KB

                    MD5

                    ee5d54916c51052499f996720442b6d2

                    SHA1

                    4a99825c02bbf297535b4d1390803b238df9f92c

                    SHA256

                    2ee311011100a46a39352f8076d3fcf4c158301877a38cf311b1f321447db05e

                    SHA512

                    91e61f5f35c401a9c5495f2082e8e5be65468a1185ecaff5065982e156a2ec591539e3dcc050cce3aa881b374e2094182b1c12a1613cf25768afed97f03a423a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\E77.exe
                    Filesize

                    262KB

                    MD5

                    ee5d54916c51052499f996720442b6d2

                    SHA1

                    4a99825c02bbf297535b4d1390803b238df9f92c

                    SHA256

                    2ee311011100a46a39352f8076d3fcf4c158301877a38cf311b1f321447db05e

                    SHA512

                    91e61f5f35c401a9c5495f2082e8e5be65468a1185ecaff5065982e156a2ec591539e3dcc050cce3aa881b374e2094182b1c12a1613cf25768afed97f03a423a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\cc.exe
                    Filesize

                    312KB

                    MD5

                    eb7d2add3fe15ee8524a07c2c75bedb9

                    SHA1

                    d13c52cd6709f416aefe338922c77bae33a85f31

                    SHA256

                    4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822

                    SHA512

                    484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\cc.exe
                    Filesize

                    312KB

                    MD5

                    eb7d2add3fe15ee8524a07c2c75bedb9

                    SHA1

                    d13c52cd6709f416aefe338922c77bae33a85f31

                    SHA256

                    4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822

                    SHA512

                    484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\cc.exe
                    Filesize

                    312KB

                    MD5

                    eb7d2add3fe15ee8524a07c2c75bedb9

                    SHA1

                    d13c52cd6709f416aefe338922c77bae33a85f31

                    SHA256

                    4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822

                    SHA512

                    484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\cc.exe
                    Filesize

                    312KB

                    MD5

                    eb7d2add3fe15ee8524a07c2c75bedb9

                    SHA1

                    d13c52cd6709f416aefe338922c77bae33a85f31

                    SHA256

                    4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822

                    SHA512

                    484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
                    Filesize

                    45.5MB

                    MD5

                    cdfa95c229f331f6517f454fe4b6dbe2

                    SHA1

                    896d02355829ed0076c035f6733f979f250cd112

                    SHA256

                    b2c00dfd788b4e2490e1ed828139b9b11e4a83fa612f4e7b04c88dccd8bdf238

                    SHA512

                    1f23630dc6ff6ddb7151f4b875b3eb5126812e61acb3c165c77712a687149722e23b8adc3273400ba99931e8c2e29e7d16b92e305ed6fb6f8f9c78544b6095ad

                    Download Submit

                  • memory/1352-206-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/1352-198-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/1352-195-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/1352-197-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2108-136-0x0000000000400000-0x0000000000574000-memory.dmp

                    Filesize

                    1.5MB

                    Download

                  • memory/2108-134-0x00000000006D0000-0x00000000006D9000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/2820-190-0x0000000002340000-0x000000000245B000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/3136-135-0x00000000010E0000-0x00000000010F6000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/3532-147-0x00000000006D0000-0x000000000070D000-memory.dmp

                    Filesize

                    244KB

                    Download

                  • memory/3532-204-0x0000000000400000-0x0000000000574000-memory.dmp

                    Filesize

                    1.5MB

                    Download

                  • memory/3624-161-0x0000000000C40000-0x0000000000CE8000-memory.dmp

                    Filesize

                    672KB

                    Download

                  • memory/4084-207-0x000001F7B4210000-0x000001F7B433E000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/4084-208-0x000001F7B4020000-0x000001F7B4155000-memory.dmp

                    Filesize

                    1.2MB

                    Download