Analysis
-
max time kernel
163s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 15:18
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe
-
Size
241KB
-
MD5
df25f71bbfe99d98745cef918cda8d77
-
SHA1
abad71342f8117b6c1ec710874fc3eb2a841497a
-
SHA256
c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821
-
SHA512
aac7b176d863f9793ab56221a8a064c489dd6d54f63e35990f56563926d7ef846d75607ca88208912afc4c5118374ee0ef61f754685b98c6feb0c97dad3fcbf8
-
SSDEEP
3072:kCEWivbZ/pFgRv07856weP7FqAKU/TX9sLsv57qtN+y7qh:qWsbTF8M7856TwHUrXhVqtN+y
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Signatures
-
Detected Djvu ransomware 2 IoCs
resource yara_rule behavioral2/memory/1776-20-0x0000000004A40000-0x0000000004B5B000-memory.dmp family_djvu behavioral2/memory/4076-24-0x0000000000250000-0x00000000009D0000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 1776 8090.exe 4076 AB0C.exe 536 C174.exe 3708 E306.exe 4412 E9ED.exe -
resource yara_rule behavioral2/files/0x00040000000006e1-23.dat themida behavioral2/files/0x00040000000006e1-27.dat themida -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe 2492 NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2280 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2492 NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2280 Process not Found 2280 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2280 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1776 2280 Process not Found 85 PID 2280 wrote to memory of 1776 2280 Process not Found 85 PID 2280 wrote to memory of 1776 2280 Process not Found 85 PID 2280 wrote to memory of 4076 2280 Process not Found 88 PID 2280 wrote to memory of 4076 2280 Process not Found 88 PID 2280 wrote to memory of 4076 2280 Process not Found 88 PID 2280 wrote to memory of 536 2280 Process not Found 89 PID 2280 wrote to memory of 536 2280 Process not Found 89 PID 2280 wrote to memory of 536 2280 Process not Found 89 PID 2280 wrote to memory of 3708 2280 Process not Found 90 PID 2280 wrote to memory of 3708 2280 Process not Found 90 PID 2280 wrote to memory of 3708 2280 Process not Found 90 PID 2280 wrote to memory of 4412 2280 Process not Found 91 PID 2280 wrote to memory of 4412 2280 Process not Found 91 PID 2280 wrote to memory of 4412 2280 Process not Found 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2492
-
C:\Users\Admin\AppData\Local\Temp\8090.exeC:\Users\Admin\AppData\Local\Temp\8090.exe1⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\8090.exeC:\Users\Admin\AppData\Local\Temp\8090.exe2⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\AB0C.exeC:\Users\Admin\AppData\Local\Temp\AB0C.exe1⤵
- Executes dropped EXE
PID:4076
-
C:\Users\Admin\AppData\Local\Temp\C174.exeC:\Users\Admin\AppData\Local\Temp\C174.exe1⤵
- Executes dropped EXE
PID:536
-
C:\Users\Admin\AppData\Local\Temp\E306.exeC:\Users\Admin\AppData\Local\Temp\E306.exe1⤵
- Executes dropped EXE
PID:3708
-
C:\Users\Admin\AppData\Local\Temp\E9ED.exeC:\Users\Admin\AppData\Local\Temp\E9ED.exe1⤵
- Executes dropped EXE
PID:4412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a