djvu | a33a2021e2afbab0002aba1fe1b28d9d2c9b18efd2068b7284ce54537cd6ef0f

General

Target

e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
Size

259KB
MD5

b05a74505fa03339578dff002ba57c69
SHA1

b9851e84dbd2c8b2ecccb30452ddccb0496ef974
SHA256

e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e
SHA512

616337efd4b6a84f0590226b52d8c7398723afe43bb1fc879089a7474b7fd8949e16353bb4ff713da4295dbc4885d5eb34d9483d7441b726592371bb8f285dd3
SSDEEP

3072:NCEgl6HLc0iImEkhg569+wjkabBB2n2qr4j54wCxe9yFfqdwiB9ez/WnQEbK3Zk:NsUrc06Fue/kZr4j5vwbb0WWnQEbe

Score

10^/10

djvu lumma smokeloader pub1 backdoor discovery ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5108-23-0x0000000002310000-0x000000000242B000-memory.dmp	family_djvu
behavioral2/memory/2804-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2804-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2804-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2804-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3572
Executes dropped EXE 4 IoCs

Processes:

3276.exe3276.exe61F3.exeA23A.exe

pid process

5108 3276.exe
2804 3276.exe
1608 61F3.exe
3620 A23A.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3044 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

91 drive.google.com
90 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

106 api.2ip.ua
107 api.2ip.ua
Suspicious use of SetThreadContext 1 IoCs

Processes:

3276.exe

description pid process target process

PID 5108 set thread context of 2804 5108 3276.exe 3276.exe

pid	process
3572

pid	process
5108	3276.exe
2804	3276.exe
1608	61F3.exe
3620	A23A.exe

pid	process
3044	icacls.exe

flow	ioc
91	drive.google.com
90	drive.google.com

flow	ioc
106	api.2ip.ua
107	api.2ip.ua

description	pid	process	target process
PID 5108 set thread context of 2804	5108	3276.exe	3276.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe

pid	process
5100	e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
5100	e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe

pid process

5100 e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exe3276.execmd.exe

description	pid	process	target process
PID 3572 wrote to memory of 1008	3572		cmd.exe
PID 3572 wrote to memory of 1008	3572		cmd.exe
PID 1008 wrote to memory of 2904	1008	cmd.exe	reg.exe
PID 1008 wrote to memory of 2904	1008	cmd.exe	reg.exe
PID 3572 wrote to memory of 5108	3572		3276.exe
PID 3572 wrote to memory of 5108	3572		3276.exe
PID 3572 wrote to memory of 5108	3572		3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 5108 wrote to memory of 2804	5108	3276.exe	3276.exe
PID 3572 wrote to memory of 1608	3572		61F3.exe
PID 3572 wrote to memory of 1608	3572		61F3.exe
PID 3572 wrote to memory of 1608	3572		61F3.exe
PID 3572 wrote to memory of 2404	3572		cmd.exe
PID 3572 wrote to memory of 2404	3572		cmd.exe
PID 2404 wrote to memory of 1212	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1212	2404	cmd.exe	reg.exe
PID 3572 wrote to memory of 3620	3572		A23A.exe
PID 3572 wrote to memory of 3620	3572		A23A.exe
PID 3572 wrote to memory of 3620	3572		A23A.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
"C:\Users\Admin\AppData\Local\Temp\e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1DA5.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\3276.exe
C:\Users\Admin\AppData\Local\Temp\3276.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\3276.exe
C:\Users\Admin\AppData\Local\Temp\3276.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4522f683-3bb4-4275-ab26-a1aa1295ff3b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3044

C:\Users\Admin\AppData\Local\Temp\61F3.exe
C:\Users\Admin\AppData\Local\Temp\61F3.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\732A.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\A23A.exe
C:\Users\Admin\AppData\Local\Temp\A23A.exe
1⤵
- Executes dropped EXE
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4522f683-3bb4-4275-ab26-a1aa1295ff3b\3276.exe
Filesize
64KB

MD5
120cfba4d4dd7ba9d88614c15592dc40

SHA1
149e7a4580a5a161b11230e4253eb9a584148178

SHA256
b2fad939b61b7ba166d445d1058dab70ccab6e5b4f4ab1239a5c1fb6a69c5d77

SHA512
85cc896c2e25b11706cc46f6bbaa6ad0b1a5d9fa11562ca5c8ada5b779fadb8b653ebc9462cffde1dabb43ea79db9157eb13accd77d0cdaa99e40014b7b14bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DA5.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\3276.exe
Filesize
731KB

MD5
78dfee0a26911ec18d9cae49bcb4c6c0

SHA1
ccd3e0a8dd4626ce87554a2b8fc30659d51e5978

SHA256
3414774186b164063e7f83a550f360bd034ab85c94917aec2e325e3c23b38f94

SHA512
174e2144fa1b659ba5683b9b791d094f687a55dca8569c8d0f4aba8c367d99ab320393493733fd18d8f58d950f6e4f7ee158e4b25c0b1a8906575d7c850b0017

Download Submit
C:\Users\Admin\AppData\Local\Temp\61F3.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\A23A.exe
Filesize
4.1MB

MD5
2a7399dc3ad509f391cd5422054320e5

SHA1
d8ae9690d2be466697b50f0019bf39780fe35513

SHA256
bbbf4e8231c7f5b0374dcd424b5fae89775f3b4344097e9a824fe591d8e441d9

SHA512
726a2d26c283d5f27cff79547f9934eee85babfd9697e2f084ce153d5b2637980d74de5f037e6c69a7b2090345612e84bb72bf7b5815008b03ea71d8c64d619b

Download Submit
memory/1608-80-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-84-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-83-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-94-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-63-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-92-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-93-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-64-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-91-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-89-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-88-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-36-0x0000000000DC0000-0x0000000001AA5000-memory.dmp

Filesize
12.9MB

Download
memory/1608-43-0x0000000000DC0000-0x0000000001AA5000-memory.dmp

Filesize
12.9MB

Download
memory/1608-44-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1608-45-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1608-46-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1608-47-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/1608-48-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/1608-49-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/1608-50-0x0000000000DC0000-0x0000000001AA5000-memory.dmp

Filesize
12.9MB

Download
memory/1608-51-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1608-52-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1608-54-0x0000000001E00000-0x0000000001E32000-memory.dmp

Filesize
200KB

Download
memory/1608-53-0x0000000001E00000-0x0000000001E32000-memory.dmp

Filesize
200KB

Download
memory/1608-87-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-86-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-85-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-82-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-90-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-68-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-71-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-72-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-74-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-75-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-76-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-78-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-79-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/1608-81-0x0000000004410000-0x0000000004510000-memory.dmp

Filesize
1024KB

Download
memory/2804-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3572-5-0x00000000012F0000-0x0000000001306000-memory.dmp

Filesize
88KB

Download
memory/3620-61-0x0000000002A60000-0x0000000002E68000-memory.dmp

Filesize
4.0MB

Download
memory/3620-62-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/5100-1-0x0000000000D60000-0x0000000000E60000-memory.dmp

Filesize
1024KB

Download
memory/5100-2-0x0000000002840000-0x000000000284B000-memory.dmp

Filesize
44KB

Download
memory/5100-9-0x0000000002840000-0x000000000284B000-memory.dmp

Filesize
44KB

Download
memory/5100-4-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/5100-3-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/5100-6-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/5108-23-0x0000000002310000-0x000000000242B000-memory.dmp

Filesize
1.1MB

Download
memory/5108-22-0x0000000002270000-0x0000000002306000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads