Analysis
-
max time kernel
150s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
Resource
win10v20210410
General
-
Target
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
-
Size
1.1MB
-
MD5
446e594e266f5e52064fd69a333867f6
-
SHA1
5c94d21af50f54472cee2cbdb09ec5c7d3361916
-
SHA256
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
-
SHA512
8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yayejrd.txt
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-yayejrd.txt
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion/
Extracted
C:\ProgramData\ummcbbc.html
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
exusltb.exeexusltb.exepid process 1812 exusltb.exe 1544 exusltb.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GroupInstall.RAW.yayejrd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
exusltb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
exusltb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat exusltb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-yayejrd.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yayejrd.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yayejrd.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 520 vssadmin.exe -
Processes:
exusltb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exusltb.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exusltb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exusltb.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exeexusltb.exepid process 788 128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe 1812 exusltb.exe 1812 exusltb.exe 1812 exusltb.exe 1812 exusltb.exe 1812 exusltb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
exusltb.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1812 exusltb.exe Token: SeDebugPrivilege 1812 exusltb.exe Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1544 exusltb.exe 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1544 exusltb.exe 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exusltb.exepid process 1544 exusltb.exe 1544 exusltb.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
taskeng.exeexusltb.exesvchost.exedescription pid process target process PID 1732 wrote to memory of 1812 1732 taskeng.exe exusltb.exe PID 1732 wrote to memory of 1812 1732 taskeng.exe exusltb.exe PID 1732 wrote to memory of 1812 1732 taskeng.exe exusltb.exe PID 1732 wrote to memory of 1812 1732 taskeng.exe exusltb.exe PID 1812 wrote to memory of 576 1812 exusltb.exe svchost.exe PID 576 wrote to memory of 1488 576 svchost.exe DllHost.exe PID 576 wrote to memory of 1488 576 svchost.exe DllHost.exe PID 576 wrote to memory of 1488 576 svchost.exe DllHost.exe PID 1812 wrote to memory of 1256 1812 exusltb.exe Explorer.EXE PID 1812 wrote to memory of 520 1812 exusltb.exe vssadmin.exe PID 1812 wrote to memory of 520 1812 exusltb.exe vssadmin.exe PID 1812 wrote to memory of 520 1812 exusltb.exe vssadmin.exe PID 1812 wrote to memory of 520 1812 exusltb.exe vssadmin.exe PID 1812 wrote to memory of 1544 1812 exusltb.exe exusltb.exe PID 1812 wrote to memory of 1544 1812 exusltb.exe exusltb.exe PID 1812 wrote to memory of 1544 1812 exusltb.exe exusltb.exe PID 1812 wrote to memory of 1544 1812 exusltb.exe exusltb.exe PID 576 wrote to memory of 108 576 svchost.exe DllHost.exe PID 576 wrote to memory of 108 576 svchost.exe DllHost.exe PID 576 wrote to memory of 108 576 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {32E33CD3-2430-4E2D-8493-D17E78276520} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\grnkdaiMD5
47a671d2635585ff3ffecd257b2c37e1
SHA19cbc5197a3bbaa87b62314733074c8dd5e2105a7
SHA2565f32de0fba7798cc5920090d62d71c5cfb8d4b574a799327025a07e52b6ce546
SHA51292f98d3a06948826f3c42607f8cf86af7a5173875bb15e8a7a543f1d53e7745fdff441013f13dfbb3a7ef16363049f9cc60fcb1cd3551a8bd3c0b6091a6438a8
-
C:\ProgramData\Microsoft\grnkdaiMD5
47a671d2635585ff3ffecd257b2c37e1
SHA19cbc5197a3bbaa87b62314733074c8dd5e2105a7
SHA2565f32de0fba7798cc5920090d62d71c5cfb8d4b574a799327025a07e52b6ce546
SHA51292f98d3a06948826f3c42607f8cf86af7a5173875bb15e8a7a543f1d53e7745fdff441013f13dfbb3a7ef16363049f9cc60fcb1cd3551a8bd3c0b6091a6438a8
-
C:\ProgramData\Microsoft\grnkdaiMD5
e3baef087d8ff478a6fc1653a5ab4837
SHA10a090f0a812e2367399fb467f1e8178b2b961cfd
SHA256a33fff7be2ef5925952f75c28cda6929004e546f78a546350ecd2be42a215f7d
SHA512b793447a2d691d20e65dd8b9fe031bb59d6b67b948f6b1ba2bb91149a3b9a41f3f38b3d4648aced072a1263659ff9bda5a472ebd83cc80450d769a1810f16161
-
C:\ProgramData\Microsoft\grnkdaiMD5
e3baef087d8ff478a6fc1653a5ab4837
SHA10a090f0a812e2367399fb467f1e8178b2b961cfd
SHA256a33fff7be2ef5925952f75c28cda6929004e546f78a546350ecd2be42a215f7d
SHA512b793447a2d691d20e65dd8b9fe031bb59d6b67b948f6b1ba2bb91149a3b9a41f3f38b3d4648aced072a1263659ff9bda5a472ebd83cc80450d769a1810f16161
-
C:\ProgramData\ummcbbc.htmlMD5
0c3baa2e2e1c29577212e17d4e69887c
SHA1e0bc211efd9ce6ae817c2459071d85e17a085655
SHA2564df63339103c66fda5be18588e6e2d9788a419cbf986f74a4132b6b4943b0925
SHA51282ed7ff7979edcfd2248a380b2329cc6618ca248be2ff2b72dd6f91706db37888adcb6aed8e24f4b1cf33cd3087dec4f3153a8be111f5d574fd0351ea2a50a85
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
memory/108-86-0x0000000000000000-mapping.dmp
-
memory/520-78-0x0000000000000000-mapping.dmp
-
memory/576-74-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/576-70-0x0000000000540000-0x00000000005B7000-memory.dmpFilesize
476KB
-
memory/788-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/788-63-0x0000000002390000-0x00000000025DB000-memory.dmpFilesize
2.3MB
-
memory/788-62-0x0000000000400000-0x000000000058C000-memory.dmpFilesize
1.5MB
-
memory/788-60-0x0000000002170000-0x000000000238A000-memory.dmpFilesize
2.1MB
-
memory/788-59-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1488-73-0x0000000000000000-mapping.dmp
-
memory/1544-79-0x0000000000000000-mapping.dmp
-
memory/1544-83-0x0000000002320000-0x000000000256B000-memory.dmpFilesize
2.3MB
-
memory/1544-84-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1812-69-0x0000000000EC0000-0x000000000110B000-memory.dmpFilesize
2.3MB
-
memory/1812-65-0x0000000000000000-mapping.dmp