Overview

overview

10

Static

static

128a0f0cd5...le.exe

windows7_x64

10

128a0f0cd5...le.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe

  • Size

    1.1MB

  • MD5

    446e594e266f5e52064fd69a333867f6

  • SHA1

    5c94d21af50f54472cee2cbdb09ec5c7d3361916

  • SHA256

    128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a

  • SHA512

    8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-jbeixtg.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://6ubux6ppafr24izl.onion.cab or http://6ubux6ppafr24izl.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://6ubux6ppafr24izl.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. TMRAFZ6-EQEUENO-6JPHJ4U-AO2E5DS-OLNZCWJ-BMU7O3N-K5WBEWP-V7MDDHI AXPA7RK-UUNJ3D6-VVUMUOX-HY2F7WL-TLPA33Q-JOP4NFN-VGQ3ZAG-6LDCTCI GP7EBOC-LF56GU7-LGAMXPL-D7S2E6X-AXEQDSH-EUFWYGL-2S6PSXW-ZNOVD4V Follow the instructions on the server.
URLs

http://6ubux6ppafr24izl.onion.cab

http://6ubux6ppafr24izl.tor2web.org

http://6ubux6ppafr24izl.onion/

Extracted

Path

C:\ProgramData\kwivvrl.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://6ubux6ppafr24izl.onion.cab or http://6ubux6ppafr24izl.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://6ubux6ppafr24izl.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://6ubux6ppafr24izl.onion.cab

http://6ubux6ppafr24izl.tor2web.org

http://6ubux6ppafr24izl.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
      "C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1796
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies data under HKEY_USERS
    PID:716
  • C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
    C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows all
      2⤵
      • Interacts with shadow copies
      PID:2536
    • C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
      "C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/716-122-0x0000000010E10000-0x0000000010E87000-memory.dmp

    Filesize

    476KB

    Download

  • memory/1796-118-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-114-0x00000000024D0000-0x00000000026EA000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1796-115-0x00000000026F0000-0x000000000293B000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1796-119-0x0000000000400000-0x000000000058C000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2388-134-0x00000000026A0000-0x00000000028EB000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2616-121-0x0000000001390000-0x00000000015DB000-memory.dmp

    Filesize

    2.3MB

    Download