Analysis
-
max time kernel
80s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-03-2024 01:43
General
-
Target
e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
-
Size
259KB
-
MD5
b05a74505fa03339578dff002ba57c69
-
SHA1
b9851e84dbd2c8b2ecccb30452ddccb0496ef974
-
SHA256
e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e
-
SHA512
616337efd4b6a84f0590226b52d8c7398723afe43bb1fc879089a7474b7fd8949e16353bb4ff713da4295dbc4885d5eb34d9483d7441b726592371bb8f285dd3
-
SSDEEP
3072:NCEgl6HLc0iImEkhg569+wjkabBB2n2qr4j54wCxe9yFfqdwiB9ez/WnQEbK3Zk:NsUrc06Fue/kZr4j5vwbb0WWnQEbe
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
Detected Djvu ransomware 5 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe"C:\Users\Admin\AppData\Local\Temp\e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1DA5.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3276.exeC:\Users\Admin\AppData\Local\Temp\3276.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3276.exeC:\Users\Admin\AppData\Local\Temp\3276.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\4522f683-3bb4-4275-ab26-a1aa1295ff3b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
-
C:\Users\Admin\AppData\Local\Temp\61F3.exeC:\Users\Admin\AppData\Local\Temp\61F3.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\732A.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A23A.exeC:\Users\Admin\AppData\Local\Temp\A23A.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5120cfba4d4dd7ba9d88614c15592dc40
SHA1149e7a4580a5a161b11230e4253eb9a584148178
SHA256b2fad939b61b7ba166d445d1058dab70ccab6e5b4f4ab1239a5c1fb6a69c5d77
SHA51285cc896c2e25b11706cc46f6bbaa6ad0b1a5d9fa11562ca5c8ada5b779fadb8b653ebc9462cffde1dabb43ea79db9157eb13accd77d0cdaa99e40014b7b14bca
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
731KB
MD578dfee0a26911ec18d9cae49bcb4c6c0
SHA1ccd3e0a8dd4626ce87554a2b8fc30659d51e5978
SHA2563414774186b164063e7f83a550f360bd034ab85c94917aec2e325e3c23b38f94
SHA512174e2144fa1b659ba5683b9b791d094f687a55dca8569c8d0f4aba8c367d99ab320393493733fd18d8f58d950f6e4f7ee158e4b25c0b1a8906575d7c850b0017
-
Filesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
Filesize
4.1MB
MD52a7399dc3ad509f391cd5422054320e5
SHA1d8ae9690d2be466697b50f0019bf39780fe35513
SHA256bbbf4e8231c7f5b0374dcd424b5fae89775f3b4344097e9a824fe591d8e441d9
SHA512726a2d26c283d5f27cff79547f9934eee85babfd9697e2f084ce153d5b2637980d74de5f037e6c69a7b2090345612e84bb72bf7b5815008b03ea71d8c64d619b
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
12.9MB
-
Filesize
12.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
88KB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
1.1MB
-
Filesize
600KB