Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:57
General
-
Target
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
-
Size
731KB
-
MD5
3d9a9103b13744b626e67f5dab6618e7
-
SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979
-
SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
-
SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-ywrfvle.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\siyrcpf.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeC:\Users\Admin\AppData\Local\Temp\gvpesyf.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
3caa504aa2f2abf61328e4017f7f6280
SHA1cab901ddee471e9d3d089e00de1eef55870ab7e0
SHA2560fa5c00c0fbfd16671b3ad680d0a574ae030c98463fcb493089a53831b21604d
SHA512338732ce07f62c26b688130b6f3a3534c1095ab24b83d69fb980c9733b5df07af02ebf5fccf7f66c52243b8d9c9811d8790766a39d39a61052c46b279f49e4f8
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
3caa504aa2f2abf61328e4017f7f6280
SHA1cab901ddee471e9d3d089e00de1eef55870ab7e0
SHA2560fa5c00c0fbfd16671b3ad680d0a574ae030c98463fcb493089a53831b21604d
SHA512338732ce07f62c26b688130b6f3a3534c1095ab24b83d69fb980c9733b5df07af02ebf5fccf7f66c52243b8d9c9811d8790766a39d39a61052c46b279f49e4f8
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
829ded0faec1c219f9496776041373bd
SHA16243538e0c2f09ce858f89427deded68771e4d8e
SHA25686b9e86fe87e443f3fed38c78ad41aef7b29b88afb12518d924c771f7f473208
SHA5127136a6dae2b5113a11e3c4eaf3a6e8e682585b0ea0f72d19b634855a7b1b16f55de811568479c433afbbe390a8020bbe50be95c6bb6e5795c8b963900ede78ae
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
1efc2b86eb12118d93a1cbfedab54d36
SHA136be3a0ec8bb3b032e5c855f3c8490526437a08c
SHA256c9a0f0f6340f513e3ece18e3a6f0256bc8631e6603acfdc90d6d8335a812864f
SHA5125c411076c33b0cfb487f70ccd30a04f3b9960fd9f402a0b73d778cd60c93dee99231a69b110b4999699f97386bdbb8edd254b8f77d2a9a41deb5f9c12a7a418d
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
1efc2b86eb12118d93a1cbfedab54d36
SHA136be3a0ec8bb3b032e5c855f3c8490526437a08c
SHA256c9a0f0f6340f513e3ece18e3a6f0256bc8631e6603acfdc90d6d8335a812864f
SHA5125c411076c33b0cfb487f70ccd30a04f3b9960fd9f402a0b73d778cd60c93dee99231a69b110b4999699f97386bdbb8edd254b8f77d2a9a41deb5f9c12a7a418d
-
C:\ProgramData\siyrcpf.htmlMD5
e41df5bce7e1ac986ec5c92e32cd88bd
SHA11852710c3560eb8d715015d3c173a079218d4826
SHA256d6028ba7d8d23407aee73b93315f38c92af5db3ecff7a66c12a433dc432c23d6
SHA512418983453ab8ca19e2646eaf957fccd44435e20dd87c75b24aac012dbe811b28a9a9520886c2e9937247a3161131094d8b061b86cb11e7f39efce2c12dfe4a72
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.ywrfvleMD5
b5d4b08ac5018764df6d527af428632f
SHA1d9bbac3a29e7d30411b05f639c833d32e8357758
SHA256d1daf4233397c1067ebda0f1866d41db5d4941e12d6acd61f0044b39110bdf75
SHA512d405445a932dcf218617b70f765486de53869e73bb697fba705c65825c5ece2bbfff43ac0e70c62cfc74ef4353f084bed2112fcb4cfe6f8a6fb6c845607f35ba
-
memory/728-130-0x000000000FA10000-0x000000000FA87000-memory.dmpFilesize
476KB
-
memory/1032-139-0x0000000000000000-mapping.dmp
-
memory/1520-144-0x000000000042CD47-mapping.dmp
-
memory/1520-147-0x0000000000A80000-0x0000000000CCB000-memory.dmpFilesize
2.3MB
-
memory/1996-129-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/1996-128-0x0000000000760000-0x000000000097A000-memory.dmpFilesize
2.1MB
-
memory/1996-126-0x000000000042CD47-mapping.dmp
-
memory/2784-116-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/2784-120-0x0000000000910000-0x0000000000B5B000-memory.dmpFilesize
2.3MB
-
memory/2784-119-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/2784-117-0x000000000042CD47-mapping.dmp
-
memory/2860-137-0x0000000000000000-mapping.dmp
