ctblocker | d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

Analysis

max time kernel
150s
max time network
35s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
Size

682KB
MD5

45ec8fc71ee99d25db903a68ca7f5ec3
SHA1

d460fc45d2355d352e60c1e95b0156f69487372e
SHA256

d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA512

85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ouygjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. TJ337DV-PZHA57M-XHDAY4J-UXUBAZM-ASEVQVR-Z2LUTCC-CBOSWFC-ACU7OZA IJHWUAF-CDS3CL7-3DONPA3-X7VDEHX-SKHOFHM-45YUN7Z-SSP2FRE-BWRGFUS GV2PKO6-KKB6TQZ-7Z6CMAD-JPDCOM6-4SSXRCS-4VYUCVI-J5BNTLC-FW4QXQQ Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-ouygjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. TJ337DV-PZHA57M-XHDAY4J-UXUBAZM-ASEVQVR-Z2LUTCC-CBOSWFC-ACU7OZA IJHWUAF-CDS3CL7-3DONPA3-X7VDEHX-SKHOFHM-45YUN7Z-SSP2FRE-BWRGFUS GV2PKO6-KKB6TQZ-7Z6CMAD-JPDCOM6-4SSXBQS-CCYUCVI-J5BNTLC-FW4QOPA Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\ummcbbc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

exusltb.exeexusltb.exeexusltb.exeexusltb.exe

pid process

1200 exusltb.exe
880 exusltb.exe
1092 exusltb.exe
1992 exusltb.exe

pid	process
1200	exusltb.exe
880	exusltb.exe
1092	exusltb.exe
1992	exusltb.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnblockSuspend.RAW.ouygjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReceiveCompare.CRW.ouygjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnpublishSync.RAW.ouygjrd	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

exusltb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	exusltb.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

exusltb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	exusltb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ouygjrd.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exeexusltb.exeexusltb.exe

description	pid	process	target process
PID 916 set thread context of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 1200 set thread context of 880	1200	exusltb.exe	exusltb.exe
PID 1092 set thread context of 1992	1092	exusltb.exe	exusltb.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ouygjrd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ouygjrd.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

544 vssadmin.exe

pid	process
544	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

exusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exusltb.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	exusltb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	exusltb.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exeexusltb.exe

pid	process
1968	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
880	exusltb.exe
880	exusltb.exe
880	exusltb.exe
880	exusltb.exe
880	exusltb.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

exusltb.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	880	exusltb.exe
Token: SeDebugPrivilege	880	exusltb.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: 33	1256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1256	AUDIODG.EXE
Token: 33	1256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1256	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1992 exusltb.exe
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1992 exusltb.exe
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exeexusltb.exeexusltb.exeexusltb.exe

pid process

916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
1200 exusltb.exe
1092 exusltb.exe
1992 exusltb.exe
1992 exusltb.exe

pid	process
1992	exusltb.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1992	exusltb.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
1200	exusltb.exe
1092	exusltb.exe
1992	exusltb.exe
1992	exusltb.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exetaskeng.exeexusltb.exeexusltb.exesvchost.exeexusltb.exe

description	pid	process	target process
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 916 wrote to memory of 1968	916	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe	d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
PID 1736 wrote to memory of 1200	1736	taskeng.exe	exusltb.exe
PID 1736 wrote to memory of 1200	1736	taskeng.exe	exusltb.exe
PID 1736 wrote to memory of 1200	1736	taskeng.exe	exusltb.exe
PID 1736 wrote to memory of 1200	1736	taskeng.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 1200 wrote to memory of 880	1200	exusltb.exe	exusltb.exe
PID 880 wrote to memory of 580	880	exusltb.exe	svchost.exe
PID 580 wrote to memory of 1832	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1832	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1832	580	svchost.exe	DllHost.exe
PID 880 wrote to memory of 1208	880	exusltb.exe	Explorer.EXE
PID 880 wrote to memory of 544	880	exusltb.exe	vssadmin.exe
PID 880 wrote to memory of 544	880	exusltb.exe	vssadmin.exe
PID 880 wrote to memory of 544	880	exusltb.exe	vssadmin.exe
PID 880 wrote to memory of 544	880	exusltb.exe	vssadmin.exe
PID 880 wrote to memory of 1092	880	exusltb.exe	exusltb.exe
PID 880 wrote to memory of 1092	880	exusltb.exe	exusltb.exe
PID 880 wrote to memory of 1092	880	exusltb.exe	exusltb.exe
PID 880 wrote to memory of 1092	880	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 1092 wrote to memory of 1992	1092	exusltb.exe	exusltb.exe
PID 580 wrote to memory of 908	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 908	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 908	580	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208

C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
"C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
"C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:908

C:\Windows\system32\taskeng.exe
taskeng.exe {22159274-32D0-4A17-A3DC-C027D2527EA7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:544

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x228
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\grnkdai
MD5
3d448c3b2aa1b73b50b01eda8b8e5bad

SHA1
e1288c5396077e4bfbc6c08ca1ae6d3a497425bf

SHA256
c334be02e307d90ce313ce4e13b602f545cb8b90524eea93731bf94b46778b90

SHA512
3923594b8f9b6f995de11660abe4a7eccc640101033825528994def580cc85a8ca8662de120ff373b4cd83798dbbe4755620fa73b0b5a64f13985083af47e4b3

Download Submit
C:\ProgramData\Mozilla\grnkdai
MD5
3d448c3b2aa1b73b50b01eda8b8e5bad

SHA1
e1288c5396077e4bfbc6c08ca1ae6d3a497425bf

SHA256
c334be02e307d90ce313ce4e13b602f545cb8b90524eea93731bf94b46778b90

SHA512
3923594b8f9b6f995de11660abe4a7eccc640101033825528994def580cc85a8ca8662de120ff373b4cd83798dbbe4755620fa73b0b5a64f13985083af47e4b3

Download Submit
C:\ProgramData\Mozilla\grnkdai
MD5
236aa221ef4d9cd94651633c4c6b5b35

SHA1
f924803c1afc7cc27cdee57fb45078d26714adc6

SHA256
afe78b207aa9660fc5afa25612239a6c08a216668b0cbe6200e2ef60883f3ada

SHA512
12639e51c06d26e745e1e6e459e99df0c49fd723b52a37367985a93e890791a9d9741c25531e755c03cc113c81f0e35119e532e141af2687ab04fed731dc4e5a

Download Submit
C:\ProgramData\Mozilla\grnkdai
MD5
7038ec3fa76f6137436a0f91e28aa2b3

SHA1
2c33c7219ff442b6d9c1bcaad659d7c70efd0162

SHA256
2b164ef89bdce6b1e646baa3445e3b90bec56e320bbddd05d2a7116fbc0c0dec

SHA512
8aeb80777df46a93a5798a72da41dab43faacdedaf186e0fc9c4c842a6a970e8edb53ef7b138930f0a3262f9d8249e5c4c6ce6899ccd4da2b4535a3daaf358b7

Download Submit
C:\ProgramData\ummcbbc.html
MD5
5f7bd089077fb6b7244ac81e93efb62f

SHA1
37b8f76b3be3d0ee4cb40b0d6de94206a037f5f7

SHA256
854910482b1026c5ae107f14b1ba5a230baf91391ef1f93b7dccdcd5a8e1e993

SHA512
27152073458db530c5c28b9ee98b192f6f16b93e3199d3c22dfb5eacc000981b229df827f6959f3db8e8a118f1b68a6e135d6f9b85d58b30c757408f3c74b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
45ec8fc71ee99d25db903a68ca7f5ec3

SHA1
d460fc45d2355d352e60c1e95b0156f69487372e

SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
45ec8fc71ee99d25db903a68ca7f5ec3

SHA1
d460fc45d2355d352e60c1e95b0156f69487372e

SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
45ec8fc71ee99d25db903a68ca7f5ec3

SHA1
d460fc45d2355d352e60c1e95b0156f69487372e

SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
45ec8fc71ee99d25db903a68ca7f5ec3

SHA1
d460fc45d2355d352e60c1e95b0156f69487372e

SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
45ec8fc71ee99d25db903a68ca7f5ec3

SHA1
d460fc45d2355d352e60c1e95b0156f69487372e

SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Download Submit
memory/544-87-0x0000000000000000-mapping.dmp

Download
memory/580-83-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/580-79-0x0000000000270000-0x00000000002E7000-memory.dmp

Filesize
476KB

Download
memory/880-74-0x000000000042CD47-mapping.dmp

Download
memory/880-78-0x00000000008E0000-0x0000000000B2B000-memory.dmp

Filesize
2.3MB

Download
memory/908-100-0x0000000000000000-mapping.dmp

Download
memory/916-61-0x0000000000660000-0x0000000000F63000-memory.dmp

Filesize
9.0MB

Download
memory/1092-88-0x0000000000000000-mapping.dmp

Download
memory/1200-69-0x0000000000000000-mapping.dmp

Download
memory/1832-82-0x0000000000000000-mapping.dmp

Download
memory/1968-64-0x0000000000700000-0x000000000091A000-memory.dmp

Filesize
2.1MB

Download
memory/1968-63-0x000000000042CD47-mapping.dmp

Download
memory/1968-67-0x0000000000400000-0x00000000004A4400-memory.dmp

Filesize
657KB

Download
memory/1968-65-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1968-66-0x0000000000920000-0x0000000000B6B000-memory.dmp

Filesize
2.3MB

Download
memory/1968-62-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1992-93-0x000000000042CD47-mapping.dmp

Download
memory/1992-97-0x00000000006D0000-0x000000000091B000-memory.dmp

Filesize
2.3MB

Download
memory/1992-99-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads