Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
24/09/2023, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe
-
Size
212KB
-
MD5
27f5207eb726b8d39f594c28416e2917
-
SHA1
452eb6cc892b3add9e99c976abd082499d24ecf0
-
SHA256
1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c
-
SHA512
fa5a7509fb90a01b027ed5f36215629a2af077326e84a2a315036b32c2316dc374da25f51c4a44114e485b5c2af627a20c3d7421bc83e0a75f382656cab51470
-
SSDEEP
3072:3XJdNdlNSoDR3pAMrWBCzDzHICQqFzqunHhvb51KOoDtmz:nLNLMyR3iM6CzvIcqunHdKd
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.azhi
-
offline_id
GQ9DjFmWFDqpsyzsOnaxE1Xr4MPL1dG4vPfPDNt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e5pgPH03fe Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0793
Extracted
smokeloader
pub1
Signatures
-
Detected Djvu ransomware 5 IoCs
resource yara_rule behavioral2/memory/1588-19-0x0000000004460000-0x000000000457B000-memory.dmp family_djvu behavioral2/memory/4548-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4548-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4548-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4548-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1588 4B72.exe 2812 4E23.exe 4548 4B72.exe 2740 6093.exe -
Loads dropped DLL 1 IoCs
pid Process 3796 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 664 icacls.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 62 api.2ip.ua 63 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2812 set thread context of 4668 2812 4E23.exe 98 PID 1588 set thread context of 4548 1588 4B72.exe 100 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1188 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe 1188 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1188 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 3124 Process not Found Token: SeCreatePagefilePrivilege 3124 Process not Found Token: SeShutdownPrivilege 3124 Process not Found Token: SeCreatePagefilePrivilege 3124 Process not Found Token: SeShutdownPrivilege 3124 Process not Found Token: SeCreatePagefilePrivilege 3124 Process not Found -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3124 wrote to memory of 1588 3124 Process not Found 94 PID 3124 wrote to memory of 1588 3124 Process not Found 94 PID 3124 wrote to memory of 1588 3124 Process not Found 94 PID 3124 wrote to memory of 3032 3124 Process not Found 95 PID 3124 wrote to memory of 3032 3124 Process not Found 95 PID 3124 wrote to memory of 2812 3124 Process not Found 96 PID 3124 wrote to memory of 2812 3124 Process not Found 96 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 2812 wrote to memory of 4668 2812 4E23.exe 98 PID 3032 wrote to memory of 3796 3032 regsvr32.exe 99 PID 3032 wrote to memory of 3796 3032 regsvr32.exe 99 PID 3032 wrote to memory of 3796 3032 regsvr32.exe 99 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 1588 wrote to memory of 4548 1588 4B72.exe 100 PID 3124 wrote to memory of 2740 3124 Process not Found 101 PID 3124 wrote to memory of 2740 3124 Process not Found 101 PID 3124 wrote to memory of 2740 3124 Process not Found 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe"C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1188
-
C:\Users\Admin\AppData\Local\Temp\4B72.exeC:\Users\Admin\AppData\Local\Temp\4B72.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\4B72.exeC:\Users\Admin\AppData\Local\Temp\4B72.exe2⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5f476f65-68ad-4a61-bbea-f005c2cbd796" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:664
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4CF9.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4CF9.dll2⤵
- Loads dropped DLL
PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\4E23.exeC:\Users\Admin\AppData\Local\Temp\4E23.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\6093.exeC:\Users\Admin\AppData\Local\Temp\6093.exe1⤵
- Executes dropped EXE
PID:2740
-
C:\Users\Admin\AppData\Local\Temp\66BE.exeC:\Users\Admin\AppData\Local\Temp\66BE.exe1⤵PID:3600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
817KB
MD50511a0c819ade47392a2f3a51eaf1f0b
SHA139b0471e8d501702179bfcb744728c00dcced7ba
SHA256635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d
SHA512a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5
-
Filesize
817KB
MD50511a0c819ade47392a2f3a51eaf1f0b
SHA139b0471e8d501702179bfcb744728c00dcced7ba
SHA256635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d
SHA512a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5
-
Filesize
817KB
MD50511a0c819ade47392a2f3a51eaf1f0b
SHA139b0471e8d501702179bfcb744728c00dcced7ba
SHA256635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d
SHA512a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5
-
Filesize
817KB
MD50511a0c819ade47392a2f3a51eaf1f0b
SHA139b0471e8d501702179bfcb744728c00dcced7ba
SHA256635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d
SHA512a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5
-
Filesize
1.6MB
MD59b9f5bbdb27f30ffb9eddec2df39137e
SHA192c46dcd23fcda7d0d53e1a49f9a4d3e9684d054
SHA2567eaebda0f4c88c43d8de32202090c3e158f5f25cf8dcef20a46b4eb0d72cd4bc
SHA51233def0eead3fadf32ba0c5da7e626986b7a928af2f0cb4d480d1c422737581332d63acd2795a3bd793916b2a074f809d699d9732d81c23373c2620e76ddfc675
-
Filesize
1.6MB
MD59b9f5bbdb27f30ffb9eddec2df39137e
SHA192c46dcd23fcda7d0d53e1a49f9a4d3e9684d054
SHA2567eaebda0f4c88c43d8de32202090c3e158f5f25cf8dcef20a46b4eb0d72cd4bc
SHA51233def0eead3fadf32ba0c5da7e626986b7a928af2f0cb4d480d1c422737581332d63acd2795a3bd793916b2a074f809d699d9732d81c23373c2620e76ddfc675
-
Filesize
239KB
MD53240f8928a130bb155571570c563200a
SHA1aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b
-
Filesize
239KB
MD53240f8928a130bb155571570c563200a
SHA1aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b
-
Filesize
3.9MB
MD517babdf3fe34211124f30a21b1dab992
SHA1563ad01cd395a59c7328d988bc705b2eb46c9810
SHA256420f9663ae6840d5bed911d35b672efab6f0415165c12426db44bc68410ef72d
SHA512a8aded23074d6db0966fce15f4337d0cb62e913821b4db1077dae8d9faa72d4a5732f338980ebc255d7e6afc1c72eccfeb21525c50b004ada3093f3d0b55dcc6
-
Filesize
4.4MB
MD550d3e926522928e0bb665bec03216a64
SHA1ed8fb52a945da7ef686ee451f8518d6e0c2a87fd
SHA256289722c9385eae72747a01db8313e58670605df8cc5adc2ac6531a6503ea5ff4
SHA512a27c7e10eb113fd3fdabd7db1927acdf2a95283d867c37ed999bb1ab3896c03d5ca97d975b8af1dfac5acdddb76720f0ec47fd0f002a59eb96c3758ab6d361d1
-
Filesize
309KB
MD5c0526b466507cb44d67f6d6f8f209047
SHA14fe125837e7fc7167258b80277c856a7f5e85275
SHA256fc60a01b7577ee26125e216619c0942529777a7734bef8c0cdacbf8004b7a79b
SHA512f3d610b658fce192e63cda1846fabd3b0af9c8bef3b38515b04af61737bd1349ad22ef018f3247b8ba3ba146658af4e9fba799f46790299944d7081146944fad
-
Filesize
309KB
MD5c0526b466507cb44d67f6d6f8f209047
SHA14fe125837e7fc7167258b80277c856a7f5e85275
SHA256fc60a01b7577ee26125e216619c0942529777a7734bef8c0cdacbf8004b7a79b
SHA512f3d610b658fce192e63cda1846fabd3b0af9c8bef3b38515b04af61737bd1349ad22ef018f3247b8ba3ba146658af4e9fba799f46790299944d7081146944fad