Overview

overview

10

Static

static

3

3edbc9c755...6c.exe

windows7-x64

10

3edbc9c755...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    39s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3edbc9c7553dad54925210b7f9ece36c.exe

  • Size

    301KB

  • MD5

    3edbc9c7553dad54925210b7f9ece36c

  • SHA1

    57014d3163d27b21075c37d993c14a56cf7208da

  • SHA256

    596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce

  • SHA512

    2944c936c953478fdc496b90428296080f49f91de136b36c88ef95b330ad8300d560291d7d14b98e168b8f589482e6f4cb0ad08102c2f16721d0d54f7c1773b1

  • SSDEEP

    6144:jTisyjd2Gdq45dCnn0jiXXg/RHnpVeVs4:/VGYGs45dCnnFXkVeu

Score
10/10
djvusmokeloaderpub1backdoordiscoverypersistenceransomwaretrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .loqw

  • offline_id

    NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe
    "C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe
      "C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:644
  • C:\Users\Admin\AppData\Local\Temp\E81E.exe
    C:\Users\Admin\AppData\Local\Temp\E81E.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\E81E.exe
      C:\Users\Admin\AppData\Local\Temp\E81E.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3688
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9A5.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:3296
    • C:\Users\Admin\AppData\Local\Temp\FF51.exe
      C:\Users\Admin\AppData\Local\Temp\FF51.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Users\Admin\AppData\Local\Temp\FF51.exe
        C:\Users\Admin\AppData\Local\Temp\FF51.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\b838bee8-ca3a-4746-a576-61108fcec3eb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:4660
        • C:\Users\Admin\AppData\Local\Temp\FF51.exe
          "C:\Users\Admin\AppData\Local\Temp\FF51.exe" --Admin IsNotAutoStart IsNotTask
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4884
          • C:\Users\Admin\AppData\Local\Temp\FF51.exe
            "C:\Users\Admin\AppData\Local\Temp\FF51.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:1360
    • C:\Users\Admin\AppData\Local\Temp\ABC.exe
      C:\Users\Admin\AppData\Local\Temp\ABC.exe
      1⤵
      • Executes dropped EXE
      PID:3468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1360 -ip 1360
      1⤵
        PID:4644
      • C:\Users\Admin\AppData\Local\Temp\1452.exe
        C:\Users\Admin\AppData\Local\Temp\1452.exe
        1⤵
          PID:2872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ABC.exe
          Filesize

          2.7MB

          MD5

          b354abdb8c17beeae07b9418535f4bdc

          SHA1

          cb4fb26e9c00426cf3d1c70f99e72fd36d6c22b9

          SHA256

          f688fb7b4cf19a4760138e7625915815f4acc23732456a3540f76f39aed90417

          SHA512

          21a37e78fff981ba88cab5e92b5c61216af93fc8a44bffdc33a3fcb16875d271790d18d6a0247367594965bae0ee0ee8e56994f02db0df5dbd5179a8dd0d613f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E81E.exe
          Filesize

          301KB

          MD5

          3edbc9c7553dad54925210b7f9ece36c

          SHA1

          57014d3163d27b21075c37d993c14a56cf7208da

          SHA256

          596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce

          SHA512

          2944c936c953478fdc496b90428296080f49f91de136b36c88ef95b330ad8300d560291d7d14b98e168b8f589482e6f4cb0ad08102c2f16721d0d54f7c1773b1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E9A5.bat
          Filesize

          77B

          MD5

          55cc761bf3429324e5a0095cab002113

          SHA1

          2cc1ef4542a4e92d4158ab3978425d517fafd16d

          SHA256

          d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

          SHA512

          33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\FF51.exe
          Filesize

          810KB

          MD5

          c108826f0555d4e9d6f1fcd7f0b872cd

          SHA1

          3f25f209b69a8b95c03292c165e97ca6ed38a102

          SHA256

          b590920e6bd30cbbc602a47a86db121a1d781c98943c8d2e968fa3ad7cfc7cd9

          SHA512

          e9c9944866e878955e69c9520812f3a6cef0f355081c425086be5ae81c9ead9b1847ab9088a30c86ccaea3c704f1e961b05279c9ce29f44d4d5d5ab25979f04f

          Download Submit

        • memory/644-4-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/644-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/644-6-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1360-61-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-64-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-62-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1688-23-0x00000000025F0000-0x00000000026F0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3428-5-0x00000000027D0000-0x00000000027E6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3428-26-0x00000000070B0000-0x00000000070C6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3688-25-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3688-27-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4100-38-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4100-40-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4100-41-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4100-42-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4100-52-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4828-37-0x0000000004150000-0x000000000426B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4828-36-0x00000000026D0000-0x0000000002767000-memory.dmp

          Filesize

          604KB

          Download

        • memory/4884-58-0x0000000003F10000-0x0000000003FAF000-memory.dmp

          Filesize

          636KB

          Download

        • memory/5092-2-0x0000000003FC0000-0x0000000003FC9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/5092-1-0x00000000024E0000-0x00000000025E0000-memory.dmp

          Filesize

          1024KB

          Download