Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 03:18
Static task
static1
Behavioral task
behavioral1
Sample
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
Resource
win10v2004-20240226-en
General
-
Target
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
-
Size
161KB
-
MD5
fb8ddd837ad8b94f1faf0b4920ce7b2b
-
SHA1
c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
-
SHA256
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
-
SHA512
db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74
-
SSDEEP
1536:IwYZ5gZyjech8y/nK/bobGPgeMWKQxljH3PBe/8YkfbM9Wzw1mE3SmJQENYmAzTa:YiZpyDz/WVPX/9CWz9xmJQMYmAzsX
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/3336-17-0x00000000037E0000-0x00000000038FB000-memory.dmp family_djvu behavioral2/memory/2580-18-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2580-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2580-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2580-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2580-32-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2060-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2060-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2060-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 2 IoCs
resource yara_rule behavioral2/memory/1188-88-0x0000000003F80000-0x000000000486B000-memory.dmp family_glupteba behavioral2/memory/1188-89-0x0000000000400000-0x0000000001E13000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 41D6.exe -
Deletes itself 1 IoCs
pid Process 3344 Process not Found -
Executes dropped EXE 7 IoCs
pid Process 3336 41D6.exe 2580 41D6.exe 4588 41D6.exe 2060 41D6.exe 4380 ificwsh 2000 8729.exe 1188 9CD6.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5020 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\51a9255f-390b-435a-a03d-578945d2dea1\\41D6.exe\" --AutoStart" 41D6.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 146 api.2ip.ua 151 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3336 set thread context of 2580 3336 41D6.exe 113 PID 4588 set thread context of 2060 4588 41D6.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3876 2060 WerFault.exe 117 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ificwsh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ificwsh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ificwsh -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 324 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe 324 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found 3344 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 324 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe 4380 ificwsh -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3344 Process not Found Token: SeCreatePagefilePrivilege 3344 Process not Found Token: SeShutdownPrivilege 3344 Process not Found Token: SeCreatePagefilePrivilege 3344 Process not Found Token: SeShutdownPrivilege 3344 Process not Found Token: SeCreatePagefilePrivilege 3344 Process not Found Token: SeShutdownPrivilege 3344 Process not Found Token: SeCreatePagefilePrivilege 3344 Process not Found -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3344 wrote to memory of 3336 3344 Process not Found 112 PID 3344 wrote to memory of 3336 3344 Process not Found 112 PID 3344 wrote to memory of 3336 3344 Process not Found 112 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 3336 wrote to memory of 2580 3336 41D6.exe 113 PID 2580 wrote to memory of 5020 2580 41D6.exe 114 PID 2580 wrote to memory of 5020 2580 41D6.exe 114 PID 2580 wrote to memory of 5020 2580 41D6.exe 114 PID 2580 wrote to memory of 4588 2580 41D6.exe 115 PID 2580 wrote to memory of 4588 2580 41D6.exe 115 PID 2580 wrote to memory of 4588 2580 41D6.exe 115 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 4588 wrote to memory of 2060 4588 41D6.exe 117 PID 3344 wrote to memory of 2000 3344 Process not Found 123 PID 3344 wrote to memory of 2000 3344 Process not Found 123 PID 3344 wrote to memory of 2000 3344 Process not Found 123 PID 3344 wrote to memory of 4368 3344 Process not Found 124 PID 3344 wrote to memory of 4368 3344 Process not Found 124 PID 4368 wrote to memory of 3472 4368 cmd.exe 126 PID 4368 wrote to memory of 3472 4368 cmd.exe 126 PID 3344 wrote to memory of 1188 3344 Process not Found 127 PID 3344 wrote to memory of 1188 3344 Process not Found 127 PID 3344 wrote to memory of 1188 3344 Process not Found 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:324
-
C:\Users\Admin\AppData\Local\Temp\41D6.exeC:\Users\Admin\AppData\Local\Temp\41D6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\41D6.exeC:\Users\Admin\AppData\Local\Temp\41D6.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\51a9255f-390b-435a-a03d-578945d2dea1" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\41D6.exe"C:\Users\Admin\AppData\Local\Temp\41D6.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\41D6.exe"C:\Users\Admin\AppData\Local\Temp\41D6.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 5685⤵
- Program crash
PID:3876
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 20601⤵PID:4144
-
C:\Users\Admin\AppData\Roaming\ificwshC:\Users\Admin\AppData\Roaming\ificwsh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4380
-
C:\Users\Admin\AppData\Local\Temp\8729.exeC:\Users\Admin\AppData\Local\Temp\8729.exe1⤵
- Executes dropped EXE
PID:2000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BAE.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\9CD6.exeC:\Users\Admin\AppData\Local\Temp\9CD6.exe1⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:1532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
769KB
MD5fed6be759155cfd181809b6037a91abe
SHA141cc6892cc5ee0a7c2bffbb4fbd0df3567d16936
SHA256f4bdcf13d4fdd1f30458719c10f7e27c2388cd0a7f9c70ee24d3c4f21dd3e58b
SHA512187288dc2b379ef4c4e3ef6f2469411f1d152c1f459dca077bc485bb9d977bc267c950e6d12991e8fd1338be26f5a715009ad353d60e25daa8cf73ce68e133cc
-
Filesize
4.1MB
MD50a2ce3c3650ff5a51aef60b7f14f30c2
SHA12332b0b94b614205f45a43d1d025f4985f056de0
SHA25632262f826b78815fd8f9043bea69e04d4d8bd9ff85c10b831f85472bafa5f0b8
SHA512683478df64cd1bd8790fb96e2999ea8e0d1bd35afc8c164974741c13163e133366140b5f400c05d1e92cf5f37f3a33cebd182771c3b85c637e6b5509f3c3568c
-
Filesize
3.5MB
MD5f288edcc3a1f8e8d2e3b0ce1989a3312
SHA1024df82d2ca4830c4ccbd0afee9f2e5ae764436a
SHA2563f61c08f68e1683c10ee02753c70dbe3d9774b9b9e377d844ffeac63a31dbc5e
SHA512c9e4113b66db3fd37e8e1ae9599787c1bcc04b0fedcd9e1451013a25cc8c66b042a4d89e3a9ab30796f3b924f6d9ca6050db39296d2e01d898283e803e3e39e6
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.2MB
MD5531e650166bd34380a22fc420d157565
SHA1d2746da211530bc003ffc48904aade9edea63749
SHA2560446eebb9e91bfb557179d9e0ebccd42b8270554cca6ef696fd1b86c1a0290fd
SHA512ee2011bcfac0d470f9adc2a7972901d93a0ac81225393195e771c1b14fc603da19309883e960ef80918fc20b1f60e8aa2524ff34941986b98d5685080ad30f5f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
161KB
MD5fb8ddd837ad8b94f1faf0b4920ce7b2b
SHA1c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
SHA25629645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
SHA512db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74