Analysis
-
max time kernel
154s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
Resource
win10v2004-20240226-en
General
-
Target
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
-
Size
132KB
-
MD5
f1936ac59e253c71f5b2b415c69c0495
-
SHA1
e19e764f60167f8afd6ea09ac57b623fd6feeaff
-
SHA256
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e
-
SHA512
0e5fdfd91ee16bddcbd85111c5815c644123aaab39ad076b04ef32bfded1083a7fd3b6ec417dc617d4e65be26266f61018ce12c6d71ba3822880da8a375e4f1b
-
SSDEEP
1536:LENr7zNlkFPoZgXg0rgA8k3Cs3cVFkm+j/3DuZE5sGGVXgrNpQNq1Wgl2:LENrXNCiitt0p+nuosGGiNpbXl2
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://wisemassiveharmonious.shop/api
https://colorfulequalugliess.shop/api
https://relevantvoicelesskw.shop/api
https://associationokeo.shop/api
https://resergvearyinitiani.shop/api
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023292-28.dat family_zgrat_v1 behavioral2/memory/2020-34-0x0000000000D10000-0x0000000000D96000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 10 IoCs
resource yara_rule behavioral2/memory/3940-22-0x0000000002200000-0x000000000231B000-memory.dmp family_djvu behavioral2/memory/4376-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4376-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4376-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4376-32-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4376-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4376-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3324-68-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3324-67-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3324-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DBF5.exe -
Deletes itself 1 IoCs
pid Process 3332 Process not Found -
Executes dropped EXE 7 IoCs
pid Process 3940 DBF5.exe 4376 DBF5.exe 2020 EDC8.exe 2544 DBF5.exe 3324 DBF5.exe 2496 19B6.exe 3080 5450.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4216 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\21f12759-31e3-4760-a46e-0a933afd6000\\DBF5.exe\" --AutoStart" DBF5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 88 bitbucket.org 89 bitbucket.org -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 97 api.2ip.ua 99 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3940 set thread context of 4376 3940 DBF5.exe 106 PID 2020 set thread context of 3964 2020 EDC8.exe 112 PID 2544 set thread context of 3324 2544 DBF5.exe 118 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1124 3324 WerFault.exe 118 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 800 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe 800 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 800 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found Token: SeShutdownPrivilege 3332 Process not Found Token: SeCreatePagefilePrivilege 3332 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3332 Process not Found -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3332 wrote to memory of 392 3332 Process not Found 99 PID 3332 wrote to memory of 392 3332 Process not Found 99 PID 392 wrote to memory of 4404 392 cmd.exe 101 PID 392 wrote to memory of 4404 392 cmd.exe 101 PID 3332 wrote to memory of 3940 3332 Process not Found 105 PID 3332 wrote to memory of 3940 3332 Process not Found 105 PID 3332 wrote to memory of 3940 3332 Process not Found 105 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3940 wrote to memory of 4376 3940 DBF5.exe 106 PID 3332 wrote to memory of 2020 3332 Process not Found 107 PID 3332 wrote to memory of 2020 3332 Process not Found 107 PID 3332 wrote to memory of 2020 3332 Process not Found 107 PID 4376 wrote to memory of 4216 4376 DBF5.exe 109 PID 4376 wrote to memory of 4216 4376 DBF5.exe 109 PID 4376 wrote to memory of 4216 4376 DBF5.exe 109 PID 2020 wrote to memory of 2760 2020 EDC8.exe 111 PID 2020 wrote to memory of 2760 2020 EDC8.exe 111 PID 2020 wrote to memory of 2760 2020 EDC8.exe 111 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 2020 wrote to memory of 3964 2020 EDC8.exe 112 PID 4376 wrote to memory of 2544 4376 DBF5.exe 113 PID 4376 wrote to memory of 2544 4376 DBF5.exe 113 PID 4376 wrote to memory of 2544 4376 DBF5.exe 113 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 2544 wrote to memory of 3324 2544 DBF5.exe 118 PID 3332 wrote to memory of 2496 3332 Process not Found 125 PID 3332 wrote to memory of 2496 3332 Process not Found 125 PID 3332 wrote to memory of 2496 3332 Process not Found 125 PID 3332 wrote to memory of 4196 3332 Process not Found 127 PID 3332 wrote to memory of 4196 3332 Process not Found 127 PID 4196 wrote to memory of 3488 4196 cmd.exe 129 PID 4196 wrote to memory of 3488 4196 cmd.exe 129 PID 3332 wrote to memory of 3080 3332 Process not Found 132 PID 3332 wrote to memory of 3080 3332 Process not Found 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF73.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\DBF5.exeC:\Users\Admin\AppData\Local\Temp\DBF5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\DBF5.exeC:\Users\Admin\AppData\Local\Temp\DBF5.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\21f12759-31e3-4760-a46e-0a933afd6000" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\DBF5.exe"C:\Users\Admin\AppData\Local\Temp\DBF5.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\DBF5.exe"C:\Users\Admin\AppData\Local\Temp\DBF5.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 5685⤵
- Program crash
PID:1124
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EDC8.exeC:\Users\Admin\AppData\Local\Temp\EDC8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 33241⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\19B6.exeC:\Users\Admin\AppData\Local\Temp\19B6.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\237B.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\5450.exeC:\Users\Admin\AppData\Local\Temp\5450.exe1⤵
- Executes dropped EXE
PID:3080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
Filesize
4.5MB
MD5859a09d58d1c5e2e82dfb047151e8653
SHA11971adde3e3535f7d7db24a8ef22284b45062437
SHA2566e214982f41ce44d7e768bf8f01484120101afefaddb8b66a7d332709d40294b
SHA512b040ad6c65dfb1da2d9abbdd99a4adf1abbf357d913780e214938af0d6f7a1b7778fb6ad763d8abfea71f2902fffa7b75d5d14272d248bad8ba07243787c8693
-
Filesize
5.5MB
MD58550a2827ea5838ec8df7ff6fd10e6ce
SHA1c8ce1f265d516f063f7db92e341a59a4568cc484
SHA25602147ca0fdeec2804183385003397b5b10145d2027327a3b928acc0d2c00d527
SHA512d1d6b8ce2411a8c5191bfb948bbfe455846fa2e6357bd5c7aeb78722776abc6ae529b4701439d1389b9de51b6ba00e8bba0fe39f17f39e423563b463bd61b9c9
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
696KB
MD534fde9d03541c0ed5419a5f836e484c6
SHA106b08899348a41347284ca56cefd02783a2e4e90
SHA256419b2e437adbe8a00d794e190d387ce91a24243227418c33b5a556adcda46bd1
SHA512880c0a3f1b47aeac1b96f6e775e693921803dfcf5fb99352ec92f7cc9d89e1a05cdb01408e7de6580818c2431df022ba953b555711a7e5e4de85de01113a1488
-
Filesize
530KB
MD5756931963ef47d8261e3090770710355
SHA1074e49a53dc0dea819a2ce9b487982f0ac114d86
SHA2566a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf
SHA512231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce