Analysis
-
max time kernel
46s -
max time network
80s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
01-04-2024 04:47
General
-
Target
0bb73ffe5f66b8adf8eb08920092ef138dc638f14d85bea5b3b9953e65220ccf.exe
-
Size
269KB
-
MD5
01a5c233c78889b9f616f56a32ffd98a
-
SHA1
4cf878eddf1fdef6009ba6534e337f7337f113bd
-
SHA256
0bb73ffe5f66b8adf8eb08920092ef138dc638f14d85bea5b3b9953e65220ccf
-
SHA512
3e9748b3ec4b4856637e4a0e8b8a2d5843ed65a141df1263c5f44c1e033f82d43970ddd2d47227ccb292045d218cdac5eb0d8d42b986aaf9dc6a0725e2114e75
-
SSDEEP
3072:L6rAFJ0cUm1+irZXhn1ONe+gKn72hKSEG4r6AZAiFfkBlVa:Lny3UrkDn72jEjPZAgsB
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
vidar
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 16 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb73ffe5f66b8adf8eb08920092ef138dc638f14d85bea5b3b9953e65220ccf.exe"C:\Users\Admin\AppData\Local\Temp\0bb73ffe5f66b8adf8eb08920092ef138dc638f14d85bea5b3b9953e65220ccf.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8A4E.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\9BC4.exeC:\Users\Admin\AppData\Local\Temp\9BC4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9BC4.exeC:\Users\Admin\AppData\Local\Temp\9BC4.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\9e9be997-9aca-41ee-a90d-7911c9e59588" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\9BC4.exe"C:\Users\Admin\AppData\Local\Temp\9BC4.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9BC4.exe"C:\Users\Admin\AppData\Local\Temp\9BC4.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build2.exe"C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build2.exe"C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 22927⤵
- Program crash
-
C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build3.exe"C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build3.exe"C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 568 -ip 5681⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\E580.exeC:\Users\Admin\AppData\Local\Temp\E580.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E830.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5f5d38a6b4d7dd26226946210bd98974e
SHA1a76e96f9ed6df8e812d14b52ef4bbdb2a484964c
SHA256131c777ed9d52e3945245f4c17159eb1b636542d04705284173e893b264de187
SHA51247c8cb5ca742ff4dabaa44062c33c41fc5c549de8836f0b8e17f4bea4494c6ab0f93cfd361b68223fd2c75cd21b11526701c8c800ddc6ba7b389bf9ef3b96c41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD53246c4851e1347031633cedb8f5fbb24
SHA140efb24ac3f8a2067dbe1a7b72333d86743dd8be
SHA256932dda814fd568f9368c2e0b322633b6e1d0aeb92d435fae9015790869fd6c3e
SHA512660d32f493e1c0c46afcb3dfd0fe1532de18547a1cfe68d9ea534a46fdaadbeb3b9c8c23f32bdec37207ffa67a8ec6889252e697ac56210d13cc9f5129eb5f64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5776a34c46303bb3b6220b13a5ce3c094
SHA1353128700c0d26423332a3cccb5644c66c49d7a9
SHA256b8067d8a4d586153d06fdc942f414d4ce82d1e263c6cfc6e2cf0bce24f18bf2d
SHA5121780bcf5357ed1f227df9f1a43f23a4a851ea15ad9f0dfa697388428e169b8b1e09949f789934ad1bd47a59ddcf8f7fee636efe84e22d0a379a54db6c95808b4
-
C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build2.exeFilesize
265KB
MD597563a191c32200a6f0dff251bdd40f8
SHA11d8bd22c19d703349428d0c8c9c8c10a1d068f50
SHA2562389dff2f3f5459ebb8110c01eeedee11ce0c75c3bb735f6f5f76f8a7bb6e9f6
SHA512810ada6b966b6bc58dfc980a49ee6a5d4482af338a47a567ca659ccf65d1834506792f39a12b45cd5f6dd138ed4e943ee8d6ef1ac45ee59ab217696ad9ae5ed8
-
C:\Users\Admin\AppData\Local\19dcd2ad-3349-45c7-87dd-b0945ac9da67\build3.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Users\Admin\AppData\Local\Temp\8A4E.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\9BC4.exeFilesize
731KB
MD507df9eac8a0915350f826af0c0a23dda
SHA1437070dac74b3821ba7022d093ea5fccca78bba5
SHA2565be3389fe4f9d8c0106e8270f2a4a71c8d8d07fb95999f63bdd090dff362b5c4
SHA512239329bcf9fe850aeb4c4beab8d7cc47d1d701b659edcf74168481c55be5f8225748f5d9b4f37c415a3c3fdecf25817c5ca0150bff50f0d2667cd9359b14452e
-
C:\Users\Admin\AppData\Local\Temp\E580.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
memory/568-95-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/568-71-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/568-76-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/568-77-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/1160-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1160-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1160-21-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1160-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1160-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1248-115-0x0000000000A20000-0x0000000000B20000-memory.dmpFilesize
1024KB
-
memory/1756-20-0x0000000002370000-0x0000000002405000-memory.dmpFilesize
596KB
-
memory/1756-23-0x0000000002410000-0x000000000252B000-memory.dmpFilesize
1.1MB
-
memory/1884-75-0x0000000002270000-0x00000000022A5000-memory.dmpFilesize
212KB
-
memory/1884-74-0x0000000000790000-0x0000000000890000-memory.dmpFilesize
1024KB
-
memory/2016-98-0x0000000000900000-0x0000000000A00000-memory.dmpFilesize
1024KB
-
memory/2016-101-0x00000000023F0000-0x00000000023F4000-memory.dmpFilesize
16KB
-
memory/2788-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-111-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-58-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-56-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-52-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-51-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-46-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-59-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2788-92-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2904-103-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2904-106-0x0000000000410000-0x0000000000413000-memory.dmpFilesize
12KB
-
memory/2904-99-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2904-105-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3168-132-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/3168-137-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/3168-140-0x0000000002FE0000-0x0000000003020000-memory.dmpFilesize
256KB
-
memory/3168-141-0x0000000002FE0000-0x0000000003020000-memory.dmpFilesize
256KB
-
memory/3168-142-0x0000000002FE0000-0x0000000003020000-memory.dmpFilesize
256KB
-
memory/3168-143-0x0000000002FE0000-0x0000000003020000-memory.dmpFilesize
256KB
-
memory/3168-122-0x0000000000060000-0x0000000000D45000-memory.dmpFilesize
12.9MB
-
memory/3168-131-0x00000000012A0000-0x00000000012A1000-memory.dmpFilesize
4KB
-
memory/3168-144-0x0000000002FE0000-0x0000000003020000-memory.dmpFilesize
256KB
-
memory/3168-135-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/3168-134-0x0000000002FA0000-0x0000000002FA1000-memory.dmpFilesize
4KB
-
memory/3168-136-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/3168-133-0x0000000000060000-0x0000000000D45000-memory.dmpFilesize
12.9MB
-
memory/3168-139-0x0000000002FE0000-0x0000000003020000-memory.dmpFilesize
256KB
-
memory/3356-4-0x0000000000A60000-0x0000000000A76000-memory.dmpFilesize
88KB
-
memory/3716-41-0x0000000002360000-0x00000000023FA000-memory.dmpFilesize
616KB
-
memory/4372-2-0x0000000002EA0000-0x0000000002EAB000-memory.dmpFilesize
44KB
-
memory/4372-3-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/4372-1-0x0000000002EC0000-0x0000000002FC0000-memory.dmpFilesize
1024KB
-
memory/4372-5-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB