Analysis
-
max time kernel
49s -
max time network
83s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-03-2024 16:50
Static task
static1
Behavioral task
behavioral1
Sample
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Resource
win11-20240221-en
General
-
Target
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
-
Size
277KB
-
MD5
0a4050b41baf35977e32749d092364dc
-
SHA1
e86798879b46d78b80442390e3bf16576597bbd0
-
SHA256
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a
-
SHA512
baf663684dcdce2e39c18ebe22bbfb6c649200ab2a72269b5fba6d263c2eba5bafa12455d5bc569810f538e2f8b9bd05185536509897255da49dfefcdea8c4a9
-
SSDEEP
3072:MOGWS6M7qGfIDp+pwZXhmnuJqkQt5LxxCNGZyAEr2vnV1cywTBlMTKa:MOYeKEpdrhQhfkXqvnHUBCT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Signatures
-
Detected Djvu ransomware 9 IoCs
Processes:
resource yara_rule behavioral2/memory/1152-21-0x0000000004B90000-0x0000000004CAB000-memory.dmp family_djvu behavioral2/memory/4108-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4108-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4108-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4108-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4108-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4924-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4924-45-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4924-47-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 3356 -
Executes dropped EXE 5 IoCs
Processes:
BC2D.exeBC2D.exeBC2D.exeBC2D.exeF138.exepid process 1152 BC2D.exe 4108 BC2D.exe 3240 BC2D.exe 4924 BC2D.exe 3756 F138.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BC2D.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f3ecdc10-b64f-4389-87e6-b5ba77853c88\\BC2D.exe\" --AutoStart" BC2D.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.2ip.ua 1 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
BC2D.exeBC2D.exedescription pid process target process PID 1152 set thread context of 4108 1152 BC2D.exe BC2D.exe PID 3240 set thread context of 4924 3240 BC2D.exe BC2D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4812 4924 WerFault.exe BC2D.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exepid process 4448 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe 4448 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exepid process 4448 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
cmd.exeBC2D.exeBC2D.exeBC2D.exedescription pid process target process PID 3356 wrote to memory of 3984 3356 cmd.exe PID 3356 wrote to memory of 3984 3356 cmd.exe PID 3984 wrote to memory of 3348 3984 cmd.exe reg.exe PID 3984 wrote to memory of 3348 3984 cmd.exe reg.exe PID 3356 wrote to memory of 1152 3356 BC2D.exe PID 3356 wrote to memory of 1152 3356 BC2D.exe PID 3356 wrote to memory of 1152 3356 BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 1152 wrote to memory of 4108 1152 BC2D.exe BC2D.exe PID 4108 wrote to memory of 1460 4108 BC2D.exe icacls.exe PID 4108 wrote to memory of 1460 4108 BC2D.exe icacls.exe PID 4108 wrote to memory of 1460 4108 BC2D.exe icacls.exe PID 4108 wrote to memory of 3240 4108 BC2D.exe BC2D.exe PID 4108 wrote to memory of 3240 4108 BC2D.exe BC2D.exe PID 4108 wrote to memory of 3240 4108 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3240 wrote to memory of 4924 3240 BC2D.exe BC2D.exe PID 3356 wrote to memory of 3756 3356 F138.exe PID 3356 wrote to memory of 3756 3356 F138.exe PID 3356 wrote to memory of 3756 3356 F138.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe"C:\Users\Admin\AppData\Local\Temp\23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\89A2.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\BC2D.exeC:\Users\Admin\AppData\Local\Temp\BC2D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BC2D.exeC:\Users\Admin\AppData\Local\Temp\BC2D.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f3ecdc10-b64f-4389-87e6-b5ba77853c88" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\BC2D.exe"C:\Users\Admin\AppData\Local\Temp\BC2D.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BC2D.exe"C:\Users\Admin\AppData\Local\Temp\BC2D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 6005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4924 -ip 49241⤵
-
C:\Users\Admin\AppData\Local\Temp\F138.exeC:\Users\Admin\AppData\Local\Temp\F138.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F3F8.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\89A2.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\BC2D.exeFilesize
775KB
MD50bce94914b6f342ca9d88f651a8f0288
SHA105c05ed36c5b04aa64eaf420d9e418f85dd8fd8a
SHA2567ced079f6b9a845d2d0cc88a14bc09cab9221b9d56fa99932271942fd42c8ce0
SHA51277c9c96a61027b60b398f6a57db6423624624673327b5da3d19c5d0dd956ee2b32befcf65e8dc5d4aa5086e52c3997c18e9cda143e6cfacb3b7f43fdc871cd10
-
C:\Users\Admin\AppData\Local\Temp\F138.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
memory/1152-20-0x0000000004990000-0x0000000004A2C000-memory.dmpFilesize
624KB
-
memory/1152-21-0x0000000004B90000-0x0000000004CAB000-memory.dmpFilesize
1.1MB
-
memory/3240-41-0x00000000049B0000-0x0000000004A43000-memory.dmpFilesize
588KB
-
memory/3356-4-0x0000000000A80000-0x0000000000A96000-memory.dmpFilesize
88KB
-
memory/3756-67-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/3756-69-0x0000000001C40000-0x0000000001C41000-memory.dmpFilesize
4KB
-
memory/3756-72-0x0000000001C50000-0x0000000001C90000-memory.dmpFilesize
256KB
-
memory/3756-76-0x0000000001C50000-0x0000000001C90000-memory.dmpFilesize
256KB
-
memory/3756-73-0x0000000001C50000-0x0000000001C90000-memory.dmpFilesize
256KB
-
memory/3756-75-0x0000000001C50000-0x0000000001C90000-memory.dmpFilesize
256KB
-
memory/3756-74-0x0000000001C50000-0x0000000001C90000-memory.dmpFilesize
256KB
-
memory/3756-71-0x0000000001C50000-0x0000000001C90000-memory.dmpFilesize
256KB
-
memory/3756-68-0x0000000001C30000-0x0000000001C31000-memory.dmpFilesize
4KB
-
memory/3756-66-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/3756-65-0x0000000000E40000-0x0000000001B25000-memory.dmpFilesize
12.9MB
-
memory/3756-64-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/3756-54-0x0000000000E40000-0x0000000001B25000-memory.dmpFilesize
12.9MB
-
memory/3756-63-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/4108-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4108-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4108-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4108-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4108-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4448-2-0x0000000002E50000-0x0000000002E5B000-memory.dmpFilesize
44KB
-
memory/4448-1-0x0000000003020000-0x0000000003120000-memory.dmpFilesize
1024KB
-
memory/4448-5-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/4448-3-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/4924-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4924-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4924-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB