ctblocker | 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

Analysis

max time kernel
150s
max time network
51s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
Size

731KB
MD5

3d9a9103b13744b626e67f5dab6618e7
SHA1

9ad16fb6810dd136985c8a78688b81e275ddf979
SHA256

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512

b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aijhjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 6UQYQQV-5AXU6LP-HNJSOYN-LHAZLEI-Y35L725-UA6DH6P-7627YWS-ABULIOH EVQC7WZ-5GZIAOH-MB4WJRT-Q3FNXDE-FC6IEQX-OXZKVCJ-NZIKHMC-MJMBU4D OVNUF2A-7XC6CGT-M7BPSSN-2X2STIX-AWEDCO6-ODCMFW3-YMCXJTC-I2NNJWW Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-aijhjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 6UQYQQV-5AXU6LP-HNJSOYN-LHAZLEI-Y35L725-UA6DH6P-7627YWS-ABULIOH EVQC7WZ-5GZIAOH-MB4WJRT-Q3FNXDE-FC6IEQX-OXZKVCJ-NZIKHMC-MJMBU4D OVNUF2A-7XC6CGT-M7BPSSN-2X2STIX-AWEDT46-EVCMFW3-YMCXJTC-I2N5LMV Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\ummcbbc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

exusltb.exeexusltb.exeexusltb.exeexusltb.exe

pid process

1724 exusltb.exe
1224 exusltb.exe
1108 exusltb.exe
1620 exusltb.exe

pid	process
1724	exusltb.exe
1224	exusltb.exe
1108	exusltb.exe
1620	exusltb.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatHide.RAW.aijhjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertFromExport.RAW.aijhjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SplitInstall.CRW.aijhjrd	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

exusltb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	exusltb.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

exusltb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	exusltb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-aijhjrd.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exeexusltb.exeexusltb.exe

description	pid	process	target process
PID 1860 set thread context of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1724 set thread context of 1224	1724	exusltb.exe	exusltb.exe
PID 1108 set thread context of 1620	1108	exusltb.exe	exusltb.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aijhjrd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aijhjrd.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1768 vssadmin.exe

pid	process
1768	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

exusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exusltb.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	exusltb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	exusltb.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exeexusltb.exe

pid	process
608	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
1224	exusltb.exe
1224	exusltb.exe
1224	exusltb.exe
1224	exusltb.exe
1224	exusltb.exe
1224	exusltb.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

exusltb.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1224	exusltb.exe
Token: SeDebugPrivilege	1224	exusltb.exe
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: 33	1400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1400	AUDIODG.EXE
Token: 33	1400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1400	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1620 exusltb.exe
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1620 exusltb.exe
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE

pid	process
1620	exusltb.exe
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1620	exusltb.exe
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exeexusltb.exeexusltb.exeexusltb.exe

pid	process
1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
1724	exusltb.exe
1108	exusltb.exe
1620	exusltb.exe
1620	exusltb.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exetaskeng.exeexusltb.exeexusltb.exesvchost.exeexusltb.exe

description	pid	process	target process
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1860 wrote to memory of 608	1860	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
PID 1652 wrote to memory of 1724	1652	taskeng.exe	exusltb.exe
PID 1652 wrote to memory of 1724	1652	taskeng.exe	exusltb.exe
PID 1652 wrote to memory of 1724	1652	taskeng.exe	exusltb.exe
PID 1652 wrote to memory of 1724	1652	taskeng.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1724 wrote to memory of 1224	1724	exusltb.exe	exusltb.exe
PID 1224 wrote to memory of 580	1224	exusltb.exe	svchost.exe
PID 580 wrote to memory of 1060	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1060	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1060	580	svchost.exe	DllHost.exe
PID 1224 wrote to memory of 1380	1224	exusltb.exe	Explorer.EXE
PID 1224 wrote to memory of 1768	1224	exusltb.exe	vssadmin.exe
PID 1224 wrote to memory of 1768	1224	exusltb.exe	vssadmin.exe
PID 1224 wrote to memory of 1768	1224	exusltb.exe	vssadmin.exe
PID 1224 wrote to memory of 1768	1224	exusltb.exe	vssadmin.exe
PID 1224 wrote to memory of 1108	1224	exusltb.exe	exusltb.exe
PID 1224 wrote to memory of 1108	1224	exusltb.exe	exusltb.exe
PID 1224 wrote to memory of 1108	1224	exusltb.exe	exusltb.exe
PID 1224 wrote to memory of 1108	1224	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 1108 wrote to memory of 1620	1108	exusltb.exe	exusltb.exe
PID 580 wrote to memory of 1604	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1604	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1604	580	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1604

C:\Windows\system32\taskeng.exe
taskeng.exe {1BE0CBE4-911B-48D1-B680-F34040E03C34} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1768

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x26c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\grnkdai
MD5
fe8e5290385df3f9d101d4a741f9bb55

SHA1
a37a8f6cc2ed1f299d98f79b041d8b43dc9e6eea

SHA256
93d66e8fa46ed13a17fecd212383b0dc85efeeb47b99e7a40d6385c6636e8be9

SHA512
3be1c439e3a11399b10b6c56c5319fc364c484e454310ab687310717327a74c346a279dd96c7435b676138cf8b160a96fa37645ea3a0f635733c783837766101

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
fe8e5290385df3f9d101d4a741f9bb55

SHA1
a37a8f6cc2ed1f299d98f79b041d8b43dc9e6eea

SHA256
93d66e8fa46ed13a17fecd212383b0dc85efeeb47b99e7a40d6385c6636e8be9

SHA512
3be1c439e3a11399b10b6c56c5319fc364c484e454310ab687310717327a74c346a279dd96c7435b676138cf8b160a96fa37645ea3a0f635733c783837766101

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
aa82244cf6d3354cfc5146f3d513e20c

SHA1
6878534a9f3adaeb4c3afddcf48e8407a0ae7e7d

SHA256
2d636f8bb6b712a2c0279f19bd55af13124fbcf52f23a19561aa9ff1ec1df5a3

SHA512
6a09f1d3381512d33c3646216326a79c9918da34e91eea279921e01035e311d1124549e90cf520b7b5c3503768c68c1f51ce9f046c4fb5b35bb831a1fcf6f1ad

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
6855ae266727911674dad6aa9310a827

SHA1
7f1da8283ccd56bb8a5141f6c0636f8e3d7b09dd

SHA256
916c8c7e5fdce76bb6d978edb3bce1348d0c48ca4a29eebfbaeaa8d7a6618aca

SHA512
e7b8a1d70a05ba3e6157f4bd9241f981963e1782a9ee1cace4c4fe3acd485e7285e49eced16399abad144b5241980c8cfdac08d4f9a8c438e7a6baf13202faf9

Download Submit
C:\ProgramData\ummcbbc.html
MD5
7c99b464cde9a9872192d5a32156115b

SHA1
542c3a825aeed96bc2181cbd1352721570630c3a

SHA256
9251f2a0aeb5edcd7bcbf4c56cd082256000e6b49c81ad444cb45a5c9462c2d4

SHA512
c060263ddc92ac2ebe890b9f1dd2b6489b827cdcd5e6e57b722a62c9a082eef5bf8029be3893989c656bdf69d5f8da0f75bc07199d72f5a062a044be61915274

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
3d9a9103b13744b626e67f5dab6618e7

SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979

SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
3d9a9103b13744b626e67f5dab6618e7

SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979

SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
3d9a9103b13744b626e67f5dab6618e7

SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979

SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
3d9a9103b13744b626e67f5dab6618e7

SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979

SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
3d9a9103b13744b626e67f5dab6618e7

SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979

SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Download Submit
memory/580-79-0x00000000004A0000-0x0000000000517000-memory.dmp

Filesize
476KB

Download
memory/580-83-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/608-62-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/608-67-0x0000000000400000-0x00000000004A4400-memory.dmp

Filesize
657KB

Download
memory/608-66-0x00000000006D0000-0x000000000091B000-memory.dmp

Filesize
2.3MB

Download
memory/608-65-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/608-64-0x00000000004B0000-0x00000000006CA000-memory.dmp

Filesize
2.1MB

Download
memory/608-63-0x000000000042CD47-mapping.dmp

Download
memory/1060-82-0x0000000000000000-mapping.dmp

Download
memory/1108-88-0x0000000000000000-mapping.dmp

Download
memory/1224-78-0x0000000000C10000-0x0000000000E5B000-memory.dmp

Filesize
2.3MB

Download
memory/1224-74-0x000000000042CD47-mapping.dmp

Download
memory/1604-100-0x0000000000000000-mapping.dmp

Download
memory/1620-93-0x000000000042CD47-mapping.dmp

Download
memory/1620-97-0x0000000000940000-0x0000000000B8B000-memory.dmp

Filesize
2.3MB

Download
memory/1620-99-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1724-69-0x0000000000000000-mapping.dmp

Download
memory/1768-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads