Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
14/03/2024, 15:36
General
-
Target
5b9adba171cd2853acc8533c96e1c814.exe
-
Size
271KB
-
MD5
5b9adba171cd2853acc8533c96e1c814
-
SHA1
d415ff5fc9caa6fd4e7e69bc8ea7b42e9c84e7b1
-
SHA256
6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d
-
SHA512
27f2f2c4670fddcb40364e6373561261a5631353651bc29c72e1bd270c594db084351b8cc25c531fe5097c9ab5fe0c0b3f173a36e3b47901ebf7cd3763074bd5
-
SSDEEP
3072:s+qUpt6FGAamWyuILne8gQ0LaP9um8JVNhdPWleHO2ImTHrNlokp8ae:sG6oATg8XMkEJvhd+leuFm/K
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://colorfulequalugliess.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b9adba171cd2853acc8533c96e1c814.exe"C:\Users\Admin\AppData\Local\Temp\5b9adba171cd2853acc8533c96e1c814.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C98A.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\286F.exeC:\Users\Admin\AppData\Local\Temp\286F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\286F.exeC:\Users\Admin\AppData\Local\Temp\286F.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ee142792-651f-4bbd-a600-98ad69c0daab" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\286F.exe"C:\Users\Admin\AppData\Local\Temp\286F.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\286F.exe"C:\Users\Admin\AppData\Local\Temp\286F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 5685⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\42BE.exeC:\Users\Admin\AppData\Local\Temp\42BE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 12003⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 40881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3916 -ip 39161⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD5686acf922c225ce9d019e006fd54b4ef
SHA1b04872c5f46bf955421c4ba4c7cf40954e14170c
SHA256ba5224f8d623bd63a67b33fff7aa5cf73dea837e08b81423016b925db5125758
SHA512414b5a07ced21027000c82adff218a41b88c1ad0b19d2e851a3637841d6beda7047fa9e8a81944bed3ccdec6307ded7af0eff474dfa19873c58d033e64707014
-
Filesize
340KB
MD5e79d42e6b51653c6a459adc6e6cd0e7d
SHA119590e4efcea7b916825669075fb59de0aae0600
SHA2563e1451fbd94c852f561fdb5332a5a8576d940d95b1a8cff4dfc0285bc9fc0b14
SHA51217f70d269b7be8fe4d8fa2b5bca88188c318991ac168d54f37237bbacaf9804e8aa7e6b81a2320bcd61d2a109728461d8082cd69e6b0ed8f1f90600b1ecaed9f
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
624KB
-
Filesize
44KB
-
Filesize
3.1MB
-
Filesize
1024KB
-
Filesize
3.1MB
-
Filesize
88KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
200KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
256KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
32.0MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
1.1MB
-
Filesize
632KB