Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270.exe

  • Size

    259KB

  • MD5

    eb37bf9e55ec9794c37a1cd473b70272

  • SHA1

    58de7f346f3dcb915a1f1a5a73a13fae77233c7c

  • SHA256

    f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270

  • SHA512

    d37a023d4f6712a0a2aa850d4490cb5e6da56075360e9f6d184adde4645e0afd87ed33e23ae7c9fd51f89948956595724108d466915266adc007c0fa587ffb31

  • SSDEEP

    6144:OVCijwGD8jFkyIhFxq261Ew8f998oD+3:/wr8j+FZq2nXz5q

Score
10/10
djvuredlinesmokeloaderlogsdiller cloud (tg: @logsdillabot)pub1backdoordiscoveryinfostealerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .vook

  • offline_id

    1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.0:29587

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270.exe
    "C:\Users\Admin\AppData\Local\Temp\f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1204
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8E65.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:1356
    • C:\Users\Admin\AppData\Local\Temp\A1DE.exe
      C:\Users\Admin\AppData\Local\Temp\A1DE.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Users\Admin\AppData\Local\Temp\A1DE.exe
        C:\Users\Admin\AppData\Local\Temp\A1DE.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\5b3d6843-eba5-4427-a9ec-e6682e424a28" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:3116
        • C:\Users\Admin\AppData\Local\Temp\A1DE.exe
          "C:\Users\Admin\AppData\Local\Temp\A1DE.exe" --Admin IsNotAutoStart IsNotTask
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Users\Admin\AppData\Local\Temp\A1DE.exe
            "C:\Users\Admin\AppData\Local\Temp\A1DE.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:208
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 568
              5⤵
              • Program crash
              PID:3568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 208
      1⤵
        PID:1252
      • C:\Users\Admin\AppData\Local\Temp\AD1A.exe
        C:\Users\Admin\AppData\Local\Temp\AD1A.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 828
          2⤵
          • Program crash
          PID:932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2604 -ip 2604
        1⤵
          PID:3048
        • C:\Users\Admin\AppData\Local\Temp\E5B0.exe
          C:\Users\Admin\AppData\Local\Temp\E5B0.exe
          1⤵
          • Executes dropped EXE
          PID:2980
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E7A5.bat" "
          1⤵
            PID:4940
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
              2⤵
                PID:1072

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\8E65.bat
              Filesize

              77B

              MD5

              55cc761bf3429324e5a0095cab002113

              SHA1

              2cc1ef4542a4e92d4158ab3978425d517fafd16d

              SHA256

              d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

              SHA512

              33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\A1DE.exe
              Filesize

              758KB

              MD5

              601c8193122d6d0b2327d4641128fb0f

              SHA1

              1807a55ad3ec3d575e055e7f65c7461165074a6a

              SHA256

              429b58dfe9191bce5a00ced0ba190e2518cd8f48d7358119d61335e504169a57

              SHA512

              d021ee206e441e152ec04329b7967ee1f6d431288060cc28a3c50b0f35bc3220dac37955188e1a7e4ba0b57a55089e6381ff490718dba528bd87eea07276e820

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\AD1A.exe
              Filesize

              392KB

              MD5

              89ec2c6bf09ed9a38bd11acb2a41cd1b

              SHA1

              408549982b687ca8dd5efb0e8b704a374bd8909d

              SHA256

              da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

              SHA512

              c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\E5B0.exe
              Filesize

              3.8MB

              MD5

              dcf11fb962b1f98b112e5dcd6ccb96be

              SHA1

              ecf9eb5044044c11049f06826ae4d498cefad476

              SHA256

              e1e1089524a5c2b909d368c1eb6673688407794ba8083ecf2d74a4aa63af61d7

              SHA512

              2ba5c9b80b3c1a6c2b9ea4002d04c49aae9576d9c09e883dac119b947049fd800ff108e3b67fd18a4a68886046f309b4a2aac0dea9fef616b3cb84ce0543fc85

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\E5B0.exe
              Filesize

              4.0MB

              MD5

              54caee3343c5bf948b0da7aae045f665

              SHA1

              fad51cad18f6d255166b370c3bd5daee23b32b76

              SHA256

              e919c41f23b40046fcf8fb5b4eeee9429365d71f51b00ebd09e8c1c5ef229f85

              SHA512

              5b58b76e25dd99f1d04325194cb8aa7a25682efce405e7c83fff269e1f4b1bb070ddd46746df496b110285fa033dd52f103b3691e164aa215947a5b768b9a974

              Download Submit
            • memory/208-43-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/208-45-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/208-42-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/1204-2-0x0000000000B80000-0x0000000000B8B000-memory.dmp
              Filesize

              44KB

              Download
            • memory/1204-3-0x0000000000400000-0x0000000000AEA000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1204-5-0x0000000000400000-0x0000000000AEA000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1204-1-0x0000000000B90000-0x0000000000C90000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/2604-63-0x0000000003200000-0x0000000005200000-memory.dmp
              Filesize

              32.0MB

              Download
            • memory/2604-68-0x0000000074700000-0x0000000074EB0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2604-53-0x0000000000C50000-0x0000000000CB4000-memory.dmp
              Filesize

              400KB

              Download
            • memory/2604-54-0x0000000074700000-0x0000000074EB0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2604-57-0x0000000003060000-0x0000000003061000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2604-55-0x0000000005800000-0x0000000005810000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2808-24-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/2808-36-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/2808-26-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/2808-25-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/2808-22-0x0000000000400000-0x0000000000537000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/2980-95-0x00000000007B0000-0x00000000007B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2980-94-0x0000000000690000-0x0000000000691000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2980-97-0x0000000000E80000-0x0000000000E81000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2980-98-0x0000000000E90000-0x0000000000E91000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2980-96-0x0000000000EE0000-0x0000000001BC5000-memory.dmp
              Filesize

              12.9MB

              Download
            • memory/2980-92-0x0000000000670000-0x0000000000671000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2980-93-0x0000000000680000-0x0000000000681000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2980-83-0x0000000000EE0000-0x0000000001BC5000-memory.dmp
              Filesize

              12.9MB

              Download
            • memory/3088-21-0x0000000002860000-0x000000000297B000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/3088-20-0x00000000027A0000-0x0000000002835000-memory.dmp
              Filesize

              596KB

              Download
            • memory/3376-4-0x0000000002FE0000-0x0000000002FF6000-memory.dmp
              Filesize

              88KB

              Download
            • memory/4608-39-0x00000000026F0000-0x0000000002792000-memory.dmp
              Filesize

              648KB

              Download
            • memory/4692-62-0x0000000005790000-0x0000000005822000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4692-73-0x0000000006390000-0x00000000063F6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4692-74-0x0000000007620000-0x00000000077E2000-memory.dmp
              Filesize

              1.8MB

              Download
            • memory/4692-75-0x0000000007D20000-0x000000000824C000-memory.dmp
              Filesize

              5.2MB

              Download
            • memory/4692-76-0x0000000007B50000-0x0000000007BA0000-memory.dmp
              Filesize

              320KB

              Download
            • memory/4692-78-0x0000000074700000-0x0000000074EB0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4692-72-0x0000000005B00000-0x0000000005B4C000-memory.dmp
              Filesize

              304KB

              Download
            • memory/4692-71-0x0000000005AC0000-0x0000000005AFC000-memory.dmp
              Filesize

              240KB

              Download
            • memory/4692-70-0x0000000005A20000-0x0000000005A32000-memory.dmp
              Filesize

              72KB

              Download
            • memory/4692-69-0x0000000006210000-0x000000000631A000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/4692-67-0x0000000006830000-0x0000000006E48000-memory.dmp
              Filesize

              6.1MB

              Download
            • memory/4692-66-0x00000000058E0000-0x00000000058F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4692-65-0x0000000005850000-0x000000000585A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/4692-64-0x0000000074700000-0x0000000074EB0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4692-61-0x0000000005C60000-0x0000000006204000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4692-59-0x0000000000400000-0x0000000000450000-memory.dmp
              Filesize

              320KB

              Download