Analysis
-
max time kernel
39s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
-
submitted
14/12/2023, 16:37
General
-
Target
552cbe78e8078850c89a8e4deb2bce9c503af2a7c340a299c76ff77e0d150e28.exe
-
Size
257KB
-
MD5
3b4a071bf4a6f6dc379dfd6420a37018
-
SHA1
947dcc9ef11aa072cea7a9adacde38b2e4955c3f
-
SHA256
552cbe78e8078850c89a8e4deb2bce9c503af2a7c340a299c76ff77e0d150e28
-
SHA512
97afc047d22466f80550c138482bffdd66bef25fa19d948149b3bdbfe9043b6764124d107a763403e78960741dbe83c76597f2c62ace972594ea27df8ea8fd86
-
SSDEEP
3072:5wBaC7pYLdt9geueoqby6boK56qF1KZTFX:5wBaC7a9g5eoqb/jPcT
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.ljuy
-
offline_id
B5moRKh7Z0xwbuNave594QPrrx2R2HOTp49pUFt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mFyI2phKff Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0836ASdw
Signatures
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\552cbe78e8078850c89a8e4deb2bce9c503af2a7c340a299c76ff77e0d150e28.exe"C:\Users\Admin\AppData\Local\Temp\552cbe78e8078850c89a8e4deb2bce9c503af2a7c340a299c76ff77e0d150e28.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\552cbe78e8078850c89a8e4deb2bce9c503af2a7c340a299c76ff77e0d150e28.exe"C:\Users\Admin\AppData\Local\Temp\552cbe78e8078850c89a8e4deb2bce9c503af2a7c340a299c76ff77e0d150e28.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 3323⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2956 -ip 29561⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9347.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9607.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\C49A.exeC:\Users\Admin\AppData\Local\Temp\C49A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C49A.exeC:\Users\Admin\AppData\Local\Temp\C49A.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6f080bd4-4317-4729-8a46-01213133ad27" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\C49A.exe"C:\Users\Admin\AppData\Local\Temp\C49A.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C49A.exe"C:\Users\Admin\AppData\Local\Temp\C49A.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1552 -ip 15521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 5681⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\D890.exeC:\Users\Admin\AppData\Local\Temp\D890.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DC1C.exeC:\Users\Admin\AppData\Local\Temp\DC1C.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
755KB
MD5c30809212ca8cd14fd119555575d818e
SHA1759de667c7bab5a9f981f9a421aac5c67472e05b
SHA25634745f4ad1e13c378174c22890558cf93a2d10a0dffa3d5c2814184009b7c5b4
SHA5122080d402a03cd1292f248a022555da4dbcd8697681ae2dd9457c4328d39f9691ee9565e45ee9247992ceac02e9503ea54087932c1f8ae6d50a5c988dededa644
-
Filesize
678KB
MD5c31fa07cb5caed10c418720500bedc57
SHA186e9c421de49eb1deaf92fde938a29f831aa86e4
SHA256309c2b36c7772aff2ef1f0e11cfb8e83592ccfc3a5317cd87d750a4edd25c47f
SHA512d919cb045de75c0d1d52986e38d5010c903542aa4a97bb49713126b359629970572e5dd8ca392e16ea1aba3b00fb0fbb71c2d2872f4a51f9b81bcef95a95b48e
-
Filesize
1.4MB
MD58866dbe499087e8f36e22e1eb91e09ef
SHA1c6739275abdcc272199d256a4ab01a705997ae9a
SHA256a7ca43592a0e8effd5ce13b2c93b38acef8808f31fbd5d014dda2ff5d7906cd7
SHA5120dee701ba93d5be87df7305b88b4319d6d456415bac3b2f49d73ff688b2b3946cefe49a3a0bae3a32de9bec8152a80762d5f19c1aa39b88c157fa6f8a69778da
-
Filesize
1.1MB
-
Filesize
620KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
10.8MB
-
Filesize
1.5MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
648KB