Overview

overview

10

Static

static

3

toolspub2.exe

windows7-x64

10

toolspub2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspub2.exe

  • Size

    255KB

  • MD5

    981b36d1cfeefa91f3ef5332922cdd8d

  • SHA1

    b8a6b27e011a503755c6df2501039edb82b092aa

  • SHA256

    461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a

  • SHA512

    e0932850586027a24b8d8d7a3fbbaf4fc466a89cc4382ca1fb31847b5c201df3855f31e7208c577cc7907e5af0792abff0092941774cf3b4a27256440ba0d7c2

  • SSDEEP

    3072:2lrJL/wx7/zm4XobcY66bIjWMHGZ4jnz2fbqbzx5h+4Wy601:23L/wxf9Y6mIjN/nmI+4W1

Score
10/10
djvusmokeloaderup3backdoordiscoverypersistenceransomwaretrojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .cdpo

  • offline_id

    Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 368
      2⤵
      • Program crash
      PID:5064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3040 -ip 3040
    1⤵
      PID:1312
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      1⤵
        PID:3512
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D188.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
        1⤵
          PID:4404
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D571.bat" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3616
        • C:\Users\Admin\AppData\Local\Temp\B38.exe
          C:\Users\Admin\AppData\Local\Temp\B38.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Users\Admin\AppData\Local\Temp\B38.exe
            C:\Users\Admin\AppData\Local\Temp\B38.exe
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Windows\SysWOW64\icacls.exe
              icacls "C:\Users\Admin\AppData\Local\c9142965-5ae8-48ac-9435-7fc1040e9f2b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              3⤵
              • Modifies file permissions
              PID:4436
            • C:\Users\Admin\AppData\Local\Temp\B38.exe
              "C:\Users\Admin\AppData\Local\Temp\B38.exe" --Admin IsNotAutoStart IsNotTask
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1308
              • C:\Users\Admin\AppData\Local\Temp\B38.exe
                "C:\Users\Admin\AppData\Local\Temp\B38.exe" --Admin IsNotAutoStart IsNotTask
                4⤵
                • Executes dropped EXE
                PID:3428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3428 -ip 3428
          1⤵
            PID:1876
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 568
            1⤵
            • Program crash
            PID:3724
          • C:\Users\Admin\AppData\Local\Temp\3542.exe
            C:\Users\Admin\AppData\Local\Temp\3542.exe
            1⤵
            • Executes dropped EXE
            PID:2504
          • C:\Users\Admin\AppData\Local\Temp\40EB.exe
            C:\Users\Admin\AppData\Local\Temp\40EB.exe
            1⤵
            • Executes dropped EXE
            PID:3860

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3542.exe
            Filesize

            5.1MB

            MD5

            2fbe0438e264ec1d6c19e0a80daa02d7

            SHA1

            f25dd81b7804a7772c7c2364919562641205bd85

            SHA256

            9af6a9f2baba974a008ecca33ccd921b577ba580e31c5cabc925d057b2b13a3f

            SHA512

            9ff37dfab475ee17ac48f007096ef07e854e203d728bd9d5a1fe60e995cf937c71d5c64c1984036bad6888531ab1c5910aad0d2f62f962485e3eee3a28c9173c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3542.exe
            Filesize

            2.7MB

            MD5

            a5adb2a52fa4739006eec322ef30f807

            SHA1

            557edbff7269d205be371abbcc43578e07f3fb36

            SHA256

            85985fa67e579f675990af51cd3dd8c4fcbd7062669e94ae43ab23b70c34fd3f

            SHA512

            6874f31d60fb608a136818a8109100a1600663af2d71a6796e5828b5f975da4aee4834d756ddf6a3773e1ee25b47c19867898964955509cf51af8652980c242f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\40EB.exe
            Filesize

            418KB

            MD5

            9429434d4229204bcd3f5a9e65997d06

            SHA1

            b4e26270cf8cfd0ffc69cea8385e5be41afa6049

            SHA256

            b427236a1befbe2fc63916f2bbf0076fc667f92dd4ca715a3d922f25bbef9139

            SHA512

            8ce466189b287730510177586651d70e34212e01eaaa6b58e2dba601445cf26d9e8d2dcc1c9c9461b4da2204da6cc18bea9a52f3b3d966038f5024474050d7c0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\40EB.exe
            Filesize

            403KB

            MD5

            593e6312a6aca7189df24a49ab7ad120

            SHA1

            3b4daf49c00d3a2275d01498b77bf600e1a73953

            SHA256

            142960c6f3973bc7722d8523be002a592e8736e893e865d5ffc97dc133172ecc

            SHA512

            3ae0cb5ab2cab69c524da6c433952634c0375a8fa39b74bd869f39220dfa562019ee66d5dc868d3cdd0409925e0bc49b8501be0ca0fac0a5281e51d639edd100

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B38.exe
            Filesize

            754KB

            MD5

            0d7b0e8e6222fa5bfb54ecc36281308a

            SHA1

            d2b2a8a310538be0d6680640a965cbc626b8d675

            SHA256

            24a4f148d10a2fa9eb0ea7c47184f1a9f0a07139bd5d30e4622e4ea1ca6d60a6

            SHA512

            a573c4af5051b38aff5cdbae1f5b26fba2175d4335a174e14657c1a835ca81491d948abfa9e49248e805b6365ec706e51fe544ddd47d92ae54ee5d2aaf9f2a17

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D188.bat
            Filesize

            77B

            MD5

            55cc761bf3429324e5a0095cab002113

            SHA1

            2cc1ef4542a4e92d4158ab3978425d517fafd16d

            SHA256

            d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

            SHA512

            33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

            Download Submit

          • memory/1308-46-0x0000000002570000-0x000000000260A000-memory.dmp

            Filesize

            616KB

            Download

          • memory/2504-65-0x0000000001580000-0x0000000001581000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2504-75-0x0000000002610000-0x000000000272B000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2504-64-0x0000000002610000-0x000000000272B000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2504-62-0x00000000006C0000-0x0000000001137000-memory.dmp

            Filesize

            10.5MB

            Download

          • memory/2504-58-0x00000000006C0000-0x0000000001137000-memory.dmp

            Filesize

            10.5MB

            Download

          • memory/3040-8-0x0000000000400000-0x0000000000862000-memory.dmp

            Filesize

            4.4MB

            Download

          • memory/3040-4-0x0000000000400000-0x0000000000862000-memory.dmp

            Filesize

            4.4MB

            Download

          • memory/3040-3-0x0000000000400000-0x0000000000862000-memory.dmp

            Filesize

            4.4MB

            Download

          • memory/3040-2-0x00000000008F0000-0x00000000008F9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3040-1-0x0000000000A50000-0x0000000000B50000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3400-5-0x0000000000840000-0x0000000000856000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3428-52-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-50-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-49-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3860-70-0x000002B226F10000-0x000002B22703E000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3860-74-0x00007FFE1F190000-0x00007FFE1FC51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3860-71-0x000002B241580000-0x000002B2416B2000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3860-72-0x00007FFE1F190000-0x00007FFE1FC51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3860-73-0x000002B2416C0000-0x000002B2416D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4100-31-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4100-29-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4100-30-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4100-27-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4100-43-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/5108-26-0x0000000002710000-0x000000000282B000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/5108-25-0x0000000002560000-0x0000000002600000-memory.dmp

            Filesize

            640KB

            Download