Analysis
-
max time kernel
152s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:57
General
-
Target
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
-
Size
1.1MB
-
MD5
446e594e266f5e52064fd69a333867f6
-
SHA1
5c94d21af50f54472cee2cbdb09ec5c7d3361916
-
SHA256
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
-
SHA512
8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-jbeixtg.txt
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion/
Extracted
C:\ProgramData\kwivvrl.html
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeC:\Users\Admin\AppData\Local\Temp\pwqidta.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all2⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\hmvkwmbMD5
00ee61acd4352b9206097fc01145e2dd
SHA11465e79e14a06aa310ecd7449fdf78cc4e5c38c0
SHA2562a5c52170f9f72c68afc66a26acb09a86ea0f137d424c21e5432cbf33fed141a
SHA5127b474599f9669020805e49d0ca25ef45eb903b477cfaf5e86f4993693a4e1edae674725d0308b565bc468bd80619da97f5ca4bc5c1d47dcf1102aab26ec53129
-
C:\ProgramData\Adobe\hmvkwmbMD5
00ee61acd4352b9206097fc01145e2dd
SHA11465e79e14a06aa310ecd7449fdf78cc4e5c38c0
SHA2562a5c52170f9f72c68afc66a26acb09a86ea0f137d424c21e5432cbf33fed141a
SHA5127b474599f9669020805e49d0ca25ef45eb903b477cfaf5e86f4993693a4e1edae674725d0308b565bc468bd80619da97f5ca4bc5c1d47dcf1102aab26ec53129
-
C:\ProgramData\Adobe\hmvkwmbMD5
483c007153dcc33ec89e85918e5eaeae
SHA1d3a5312241c8ea49a4bd4d36b45581f9c0822b86
SHA256ac45bbdb362d1fe63654238a89a7a2a671ba8c835e791b739ff2037ae49f66cb
SHA51275b6ce7a1d30cf706bd53809bc92bdc55844c2af419aee69628d91c9f1f23cd2fabc82914389752843684d7eb006adacc53eb35af0821f62dec99a48fe04b1a1
-
C:\ProgramData\Adobe\hmvkwmbMD5
4ce12e7fa00474ab3d5d862cddf34d3c
SHA1ebca79dbb4de56bb5dc7e072ce8ca5ef4d3be2e0
SHA256571aaaf88c98753b9072716947c37690a7900a682d7c410e0dc5eca9632808fa
SHA51262adc11e66a836f19b09d876adb90a00b9bc2dc65fda7226b23a3e33100b21c4dc009f09809f65a3a121912b3219727f240fc6b919d730a30c231238d2028dd4
-
C:\ProgramData\Adobe\hmvkwmbMD5
4ce12e7fa00474ab3d5d862cddf34d3c
SHA1ebca79dbb4de56bb5dc7e072ce8ca5ef4d3be2e0
SHA256571aaaf88c98753b9072716947c37690a7900a682d7c410e0dc5eca9632808fa
SHA51262adc11e66a836f19b09d876adb90a00b9bc2dc65fda7226b23a3e33100b21c4dc009f09809f65a3a121912b3219727f240fc6b919d730a30c231238d2028dd4
-
C:\ProgramData\kwivvrl.htmlMD5
f607a61aec0ce5db95732354807f832b
SHA1da2a7c4d89a8aaebe411a419c0c63579666f7748
SHA256f784aa86584efe182dc926d518bc6cf23e2fd58d475c0a655224f86f6bc89d7f
SHA51213460e7fad678bdc9ad73abb3bd4399ce25f0942e6b48255052fb63516769f27821766afd5776650f16d3003c70837d2d7be26a13629948d0c9d77c54d1c7712
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.jbeixtgMD5
457f1a6b774c316ae84040ce0bd8f14a
SHA1f30c1f034c4e11aa6ad6a12a7059375bf471acc1
SHA25693d5e077461f7657608f8845103b67bdb385e0d88f2b2f75e8808df0d6551c09
SHA512437a79e68adbe6ad7691b58022f205fab62f8764072843e2ed370535379790f18ebabe399652136a9abe6d3c689c51555470a193f74a6bd21890f8fcaed6acd4
-
memory/716-122-0x0000000010E10000-0x0000000010E87000-memory.dmpFilesize
476KB
-
memory/1796-118-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1796-114-0x00000000024D0000-0x00000000026EA000-memory.dmpFilesize
2.1MB
-
memory/1796-115-0x00000000026F0000-0x000000000293B000-memory.dmpFilesize
2.3MB
-
memory/1796-119-0x0000000000400000-0x000000000058C000-memory.dmpFilesize
1.5MB
-
memory/2388-131-0x0000000000000000-mapping.dmp
-
memory/2388-134-0x00000000026A0000-0x00000000028EB000-memory.dmpFilesize
2.3MB
-
memory/2536-129-0x0000000000000000-mapping.dmp
-
memory/2616-121-0x0000000001390000-0x00000000015DB000-memory.dmpFilesize
2.3MB
