Analysis
-
max time kernel
151s -
max time network
55s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
Resource
win10v20210410
General
-
Target
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
-
Size
674KB
-
MD5
1c0fbff0f6a18ce6d05e0026b7423b64
-
SHA1
f422c94cc824c175802df15408114b6284918e17
-
SHA256
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
-
SHA512
40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-oslhjrd.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-oslhjrd.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\ummcbbc.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
exusltb.exeexusltb.exepid process 1484 exusltb.exe 920 exusltb.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SaveOptimize.CRW.oslhjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertResolve.CRW.oslhjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExportUnpublish.RAW.oslhjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\WatchRename.RAW.oslhjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CloseWatch.CRW.oslhjrd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
exusltb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
exusltb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat exusltb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-oslhjrd.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-oslhjrd.bmp svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-oslhjrd.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1648 vssadmin.exe -
Processes:
exusltb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exusltb.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exusltb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exusltb.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exeexusltb.exepid process 1816 5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe 1484 exusltb.exe 1484 exusltb.exe 1484 exusltb.exe 1484 exusltb.exe 1484 exusltb.exe 1484 exusltb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
exusltb.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1484 exusltb.exe Token: SeDebugPrivilege 1484 exusltb.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: 33 1052 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1052 AUDIODG.EXE Token: 33 1052 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1052 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 920 exusltb.exe 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 920 exusltb.exe 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exusltb.exepid process 920 exusltb.exe 920 exusltb.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
taskeng.exeexusltb.exesvchost.exedescription pid process target process PID 1984 wrote to memory of 1484 1984 taskeng.exe exusltb.exe PID 1984 wrote to memory of 1484 1984 taskeng.exe exusltb.exe PID 1984 wrote to memory of 1484 1984 taskeng.exe exusltb.exe PID 1984 wrote to memory of 1484 1984 taskeng.exe exusltb.exe PID 1484 wrote to memory of 580 1484 exusltb.exe svchost.exe PID 580 wrote to memory of 336 580 svchost.exe DllHost.exe PID 580 wrote to memory of 336 580 svchost.exe DllHost.exe PID 580 wrote to memory of 336 580 svchost.exe DllHost.exe PID 1484 wrote to memory of 1220 1484 exusltb.exe Explorer.EXE PID 1484 wrote to memory of 1648 1484 exusltb.exe vssadmin.exe PID 1484 wrote to memory of 1648 1484 exusltb.exe vssadmin.exe PID 1484 wrote to memory of 1648 1484 exusltb.exe vssadmin.exe PID 1484 wrote to memory of 1648 1484 exusltb.exe vssadmin.exe PID 1484 wrote to memory of 920 1484 exusltb.exe exusltb.exe PID 1484 wrote to memory of 920 1484 exusltb.exe exusltb.exe PID 1484 wrote to memory of 920 1484 exusltb.exe exusltb.exe PID 1484 wrote to memory of 920 1484 exusltb.exe exusltb.exe PID 580 wrote to memory of 1792 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1792 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1792 580 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {15241813-FF69-4180-9566-9FA9FAD25B98} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
43381abd2a92b404ea858f0aacb3de83
SHA1cacafa8eea51fdfaab175cd1fcdc4e6321d510c0
SHA256a291a42e6244f0ba01a558c2584519c9aa920e7de7036dbae9b2795badf55505
SHA5123b8f7b989324e20efd32670847c17de0ac6febba5c5eca34d889ef6a3c11728793e8072f23dd6d613f5923e423a256f98c2235e5c8a21383f066232016db2f7c
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
43381abd2a92b404ea858f0aacb3de83
SHA1cacafa8eea51fdfaab175cd1fcdc4e6321d510c0
SHA256a291a42e6244f0ba01a558c2584519c9aa920e7de7036dbae9b2795badf55505
SHA5123b8f7b989324e20efd32670847c17de0ac6febba5c5eca34d889ef6a3c11728793e8072f23dd6d613f5923e423a256f98c2235e5c8a21383f066232016db2f7c
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
1ea7f97a7d1ab7bd0706443e1e9674a4
SHA1308ecc110283eb25277951f0dc5816133b6dc70c
SHA25684489e97db02f0db529a297c47cd64f09f28f216e96c20177db7673b80b8fb7b
SHA51256fa6274350c409473cf69a759e81a19330cb0049512e4d4a0093fc8213baf810cca059551444433037ecd7b0c97d2f2db0b9b127ac088b9f9ea5d9cdd07748c
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
a34fc9199bf3c86f771d5fb4775973c4
SHA1420a290612f61f6b80a58475b500020aecaef80f
SHA256ed2d489a88799110ba6f049b8f2efe836ff5a74cbdf3d433fd379a70a8f68a02
SHA51209a295d3bf93ab5496c7b0b376fc784dd6ef85cf6e5bad87b4296ba4cd3911cf99f58b14c0d4ff28e5b2acf7a737c671fccba02f9f077d9b27854a5c65d24fa1
-
C:\ProgramData\ummcbbc.htmlMD5
3b2f724231acdd1c1faaa7d0da536018
SHA16d3e29778c292a82c72dbc1e982dc5f13bb6f519
SHA256313ffb5737f80e19b94043019e9681c155c91285aeda94b53eb6dd448a2f0d7a
SHA512893b9a5993adafdf282c33eca7d277f3a814ed4d8b13eefede90e37640505bef49cf28eac747a2cfe6a901749e4dc070dc74c96c6470b63511f1c8abe714014a
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
memory/336-72-0x0000000000000000-mapping.dmp
-
memory/580-69-0x0000000000E00000-0x0000000000E77000-memory.dmpFilesize
476KB
-
memory/580-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/920-78-0x0000000000000000-mapping.dmp
-
memory/920-82-0x0000000000640000-0x000000000088B000-memory.dmpFilesize
2.3MB
-
memory/920-83-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1484-68-0x00000000006F0000-0x000000000093B000-memory.dmpFilesize
2.3MB
-
memory/1484-64-0x0000000000000000-mapping.dmp
-
memory/1648-77-0x0000000000000000-mapping.dmp
-
memory/1792-85-0x0000000000000000-mapping.dmp
-
memory/1816-60-0x00000000008C0000-0x0000000000ADA000-memory.dmpFilesize
2.1MB
-
memory/1816-62-0x0000000000AE0000-0x0000000000D2B000-memory.dmpFilesize
2.3MB
-
memory/1816-61-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB