Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
08-02-2024 19:16
General
-
Target
69d761d941e1a7a4721e267e91167b3a.exe
-
Size
170KB
-
MD5
69d761d941e1a7a4721e267e91167b3a
-
SHA1
7e83135738bdd132a8c9da031b4794852cfc9f8b
-
SHA256
c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
-
SHA512
4ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295
-
SSDEEP
3072:lLWPQWxrjDjU6G+JLfeEXcUesyx0RcAJ+qVeYg:lLWPvjU6TFhXBes/c
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.ldhy
-
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw
Extracted
marsstealer
Default
Signatures
-
Detect ZGRat V1 20 IoCs
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
.NET Reactor proctector 11 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\69d761d941e1a7a4721e267e91167b3a.exe"C:\Users\Admin\AppData\Local\Temp\69d761d941e1a7a4721e267e91167b3a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C60F.exeC:\Users\Admin\AppData\Local\Temp\C60F.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DAF0.exeC:\Users\Admin\AppData\Local\Temp\DAF0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DAF0.exeC:\Users\Admin\AppData\Local\Temp\DAF0.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8a693bba-b6d2-4101-a9c8-94cbc8138233" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\DAF0.exe"C:\Users\Admin\AppData\Local\Temp\DAF0.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DAF0.exe"C:\Users\Admin\AppData\Local\Temp\DAF0.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 5685⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 17201⤵
-
C:\Users\Admin\AppData\Local\Temp\6E86.exeC:\Users\Admin\AppData\Local\Temp\6E86.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 3722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 11122⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\828C.exeC:\Users\Admin\AppData\Local\Temp\828C.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 12242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4980 -ip 49801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4980 -ip 49801⤵
-
C:\Users\Admin\AppData\Local\Temp\89E0.exeC:\Users\Admin\AppData\Local\Temp\89E0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8ED3.exeC:\Users\Admin\AppData\Local\Temp\8ED3.exe1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA36F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ping.exe"C:\Windows\SYSWOW64\ping.exe"4⤵
- Loads dropped DLL
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 9085⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\SYSWOW64\calc.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3376 -ip 33761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 448 -ip 4481⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
6.0MB
MD595e59305ad61119cf15ee95562bd05ba
SHA10f0059cda9609c46105cf022f609c407f3718e04
SHA256dd87f94c961b9612bbd65761bee6ed15318d63652f262e2c425bd177a2341a19
SHA5125fbcfe79162460080e0c3944df747835f0b8f2cdb35b038eb69eadf2eb85a209f7d5432a328d0f0eeafba036012f48793e3c08d94531b98a12a498bcf3b00ad2
-
Filesize
649KB
MD535ffefa212414c2538df410e5ad3afa7
SHA1e7721fbb85e400c74c7f4de95f1c27b6318caabd
SHA2569217999518147c602f16ed7d80c9b95dec621f442192ce49192736a27e73847f
SHA5127bf9ffe99588a1e6e01a6c84fee7bd998b337653c908e33d3c10f1aa9abc7af925ca9d86a884099824133947614aa070181c973b220163dd99dde87765152a25
-
Filesize
952KB
MD5422a9c5cfa6370c93a4bd5db29c3d196
SHA1caaf89e601fde4bc9dbe3c0edda8e7efa5062e17
SHA25682311d6280999d5c9d368377e30b8f55abe2a3d7d98f8c074f6e40c5be7cd965
SHA5122caf014595f65caa26bd7c8396f981ee452ef01fdf35dde3e9e2e950855f564e97026f71c52b9a49526f9bca68d4f5c6d4bc9ba51d4b8330e38e4b4b84214e96
-
Filesize
68KB
MD5cd2b5a09efdac0ffbd76111f44733138
SHA16db6bc9dba96632213d1077155725f388237e268
SHA2561c6b4fadf6a74e1dfacd17468bdb0743ec21a1bdf3fcd4c3f58bf727efb1c74c
SHA51216fa87494baa4d65bd170d346efe082b998689d0c3488cec764170f5c0e63a7a4ad2fc51f18aa710aa8bca1ed84af99965baae692a81cead192cfa63aa37c714
-
Filesize
170KB
MD569d761d941e1a7a4721e267e91167b3a
SHA17e83135738bdd132a8c9da031b4794852cfc9f8b
SHA256c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
SHA5124ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295
-
Filesize
699KB
MD5a2b38ede1742205c46b74ce044287fb9
SHA18415a9ab51551583f3ace6916816c4474a2ffb9b
SHA256324a8068a203d94f77eb773e1491ca27fd52b5a2b5b220f50d3a9b86f9d69965
SHA5129fb2d5c030bedcb71132db3c019fdf7131826e48cb4c64d779bd2e853ab110d8fd384e3ed07946ee8bd055c880e17510488b6edc68421a99a76bfd57872694d4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD507c29ea3be1d6f420b360f231fcb6976
SHA1ce23ecbd7d2a607ceffeaaaebdc46494a722e5e0
SHA25609a6fc075d2f8d60cd8524c26982dbe5ee572df3d4f675b9f7983678958e98cf
SHA5123b4401e48b0a6a4bafa2318aa597a332048d7fda334568b8c23cb9cf8a8aee8603f0dc64b7eb408bc7a01c653ea6de7243987206611d81243f0759eaa148b5e6
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
7.7MB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
1024KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
676KB
-
Filesize
696KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
704KB
-
Filesize
800KB
-
Filesize
788KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
628KB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
39.8MB
-
Filesize
39.8MB
-
Filesize
39.8MB
-
Filesize
39.8MB
-
Filesize
1024KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
244KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
644KB
-
Filesize
584KB
-
Filesize
104KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
568KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
1.0MB
-
Filesize
968KB
-
Filesize
960KB
-
Filesize
11.4MB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB