Analysis
-
max time kernel
152s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
Resource
win10v20210410
General
-
Target
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
-
Size
1.1MB
-
MD5
446e594e266f5e52064fd69a333867f6
-
SHA1
5c94d21af50f54472cee2cbdb09ec5c7d3361916
-
SHA256
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
-
SHA512
8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-jbeixtg.txt
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion/
Extracted
C:\ProgramData\kwivvrl.html
http://6ubux6ppafr24izl.onion.cab
http://6ubux6ppafr24izl.tor2web.org
http://6ubux6ppafr24izl.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
pwqidta.exepwqidta.exepid process 2616 pwqidta.exe 2388 pwqidta.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ImportDismount.CRW.jbeixtg svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReceiveUnregister.CRW.jbeixtg svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pwqidta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation pwqidta.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
pwqidta.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini pwqidta.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-jbeixtg.bmp" Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2536 vssadmin.exe -
Processes:
pwqidta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" pwqidta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU pwqidta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" pwqidta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch pwqidta.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320036003600640031006300610034002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\MaxCapacity = "15150" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exepwqidta.exepid process 1796 128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe 1796 128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe 2616 pwqidta.exe 2616 pwqidta.exe 2616 pwqidta.exe 2616 pwqidta.exe 2616 pwqidta.exe 2616 pwqidta.exe 2616 pwqidta.exe 2616 pwqidta.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
pwqidta.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2616 pwqidta.exe Token: SeDebugPrivilege 2616 pwqidta.exe Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pwqidta.exepid process 2388 pwqidta.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pwqidta.exepid process 2388 pwqidta.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pwqidta.exepid process 2388 pwqidta.exe 2388 pwqidta.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
pwqidta.exedescription pid process target process PID 2616 wrote to memory of 716 2616 pwqidta.exe svchost.exe PID 2616 wrote to memory of 2492 2616 pwqidta.exe Explorer.EXE PID 2616 wrote to memory of 2536 2616 pwqidta.exe vssadmin.exe PID 2616 wrote to memory of 2536 2616 pwqidta.exe vssadmin.exe PID 2616 wrote to memory of 2536 2616 pwqidta.exe vssadmin.exe PID 2616 wrote to memory of 2388 2616 pwqidta.exe pwqidta.exe PID 2616 wrote to memory of 2388 2616 pwqidta.exe pwqidta.exe PID 2616 wrote to memory of 2388 2616 pwqidta.exe pwqidta.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeC:\Users\Admin\AppData\Local\Temp\pwqidta.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all2⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\hmvkwmbMD5
00ee61acd4352b9206097fc01145e2dd
SHA11465e79e14a06aa310ecd7449fdf78cc4e5c38c0
SHA2562a5c52170f9f72c68afc66a26acb09a86ea0f137d424c21e5432cbf33fed141a
SHA5127b474599f9669020805e49d0ca25ef45eb903b477cfaf5e86f4993693a4e1edae674725d0308b565bc468bd80619da97f5ca4bc5c1d47dcf1102aab26ec53129
-
C:\ProgramData\Adobe\hmvkwmbMD5
00ee61acd4352b9206097fc01145e2dd
SHA11465e79e14a06aa310ecd7449fdf78cc4e5c38c0
SHA2562a5c52170f9f72c68afc66a26acb09a86ea0f137d424c21e5432cbf33fed141a
SHA5127b474599f9669020805e49d0ca25ef45eb903b477cfaf5e86f4993693a4e1edae674725d0308b565bc468bd80619da97f5ca4bc5c1d47dcf1102aab26ec53129
-
C:\ProgramData\Adobe\hmvkwmbMD5
483c007153dcc33ec89e85918e5eaeae
SHA1d3a5312241c8ea49a4bd4d36b45581f9c0822b86
SHA256ac45bbdb362d1fe63654238a89a7a2a671ba8c835e791b739ff2037ae49f66cb
SHA51275b6ce7a1d30cf706bd53809bc92bdc55844c2af419aee69628d91c9f1f23cd2fabc82914389752843684d7eb006adacc53eb35af0821f62dec99a48fe04b1a1
-
C:\ProgramData\Adobe\hmvkwmbMD5
4ce12e7fa00474ab3d5d862cddf34d3c
SHA1ebca79dbb4de56bb5dc7e072ce8ca5ef4d3be2e0
SHA256571aaaf88c98753b9072716947c37690a7900a682d7c410e0dc5eca9632808fa
SHA51262adc11e66a836f19b09d876adb90a00b9bc2dc65fda7226b23a3e33100b21c4dc009f09809f65a3a121912b3219727f240fc6b919d730a30c231238d2028dd4
-
C:\ProgramData\Adobe\hmvkwmbMD5
4ce12e7fa00474ab3d5d862cddf34d3c
SHA1ebca79dbb4de56bb5dc7e072ce8ca5ef4d3be2e0
SHA256571aaaf88c98753b9072716947c37690a7900a682d7c410e0dc5eca9632808fa
SHA51262adc11e66a836f19b09d876adb90a00b9bc2dc65fda7226b23a3e33100b21c4dc009f09809f65a3a121912b3219727f240fc6b919d730a30c231238d2028dd4
-
C:\ProgramData\kwivvrl.htmlMD5
f607a61aec0ce5db95732354807f832b
SHA1da2a7c4d89a8aaebe411a419c0c63579666f7748
SHA256f784aa86584efe182dc926d518bc6cf23e2fd58d475c0a655224f86f6bc89d7f
SHA51213460e7fad678bdc9ad73abb3bd4399ce25f0942e6b48255052fb63516769f27821766afd5776650f16d3003c70837d2d7be26a13629948d0c9d77c54d1c7712
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
446e594e266f5e52064fd69a333867f6
SHA15c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA5128f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.jbeixtgMD5
457f1a6b774c316ae84040ce0bd8f14a
SHA1f30c1f034c4e11aa6ad6a12a7059375bf471acc1
SHA25693d5e077461f7657608f8845103b67bdb385e0d88f2b2f75e8808df0d6551c09
SHA512437a79e68adbe6ad7691b58022f205fab62f8764072843e2ed370535379790f18ebabe399652136a9abe6d3c689c51555470a193f74a6bd21890f8fcaed6acd4
-
memory/716-122-0x0000000010E10000-0x0000000010E87000-memory.dmpFilesize
476KB
-
memory/1796-118-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1796-114-0x00000000024D0000-0x00000000026EA000-memory.dmpFilesize
2.1MB
-
memory/1796-115-0x00000000026F0000-0x000000000293B000-memory.dmpFilesize
2.3MB
-
memory/1796-119-0x0000000000400000-0x000000000058C000-memory.dmpFilesize
1.5MB
-
memory/2388-131-0x0000000000000000-mapping.dmp
-
memory/2388-134-0x00000000026A0000-0x00000000028EB000-memory.dmpFilesize
2.3MB
-
memory/2536-129-0x0000000000000000-mapping.dmp
-
memory/2616-121-0x0000000001390000-0x00000000015DB000-memory.dmpFilesize
2.3MB