Overview

overview

10

Static

static

d96950d143...le.exe

windows7_x64

10

d96950d143...le.exe

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe

  • Size

    682KB

  • MD5

    45ec8fc71ee99d25db903a68ca7f5ec3

  • SHA1

    d460fc45d2355d352e60c1e95b0156f69487372e

  • SHA256

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

  • SHA512

    85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-oidgvle.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YCYJBGE-VTMZTG7-KTNYTQ7-IQUSEGT-BG33S25-TBJJRG3-4QECMPE-A22SPWF Z4ZU2GK-4OCWOXF-PT77OWD-VHFJFHP-USIGXLI-ZCSI563-6RBMJRZ-ZSIFI7Q 7F2HF7R-J3UTVJL-S6ZQACM-VE5K72P-5IEQWF6-R2OTC6V-XSRBEJS-JXDN37U Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\siyrcpf.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 4 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies data under HKEY_USERS
    PID:696
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
      "C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
        "C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:348
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
      "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows all
        3⤵
        • Interacts with shadow copies
        PID:1148
      • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
        "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
          "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    f64d6f5bbdcabdc8af0ad960331c8bd1

    SHA1

    7bef51d9bb0361b74a97a9fd8721936a40937b38

    SHA256

    0739ac709bcae44cb58c3ffbfa47d2b00c97ffd8c3e0e48f08c922b8da41540e

    SHA512

    4fc410992bf11ba7fb7804953992820e2c529c360a44ee0f28135a9e2a63ed1b4e1c52071c7dc20ef67bb4601aaf36e4de6461b06571d8e08eca5d6221d3349a

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    f64d6f5bbdcabdc8af0ad960331c8bd1

    SHA1

    7bef51d9bb0361b74a97a9fd8721936a40937b38

    SHA256

    0739ac709bcae44cb58c3ffbfa47d2b00c97ffd8c3e0e48f08c922b8da41540e

    SHA512

    4fc410992bf11ba7fb7804953992820e2c529c360a44ee0f28135a9e2a63ed1b4e1c52071c7dc20ef67bb4601aaf36e4de6461b06571d8e08eca5d6221d3349a

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    075e9e231949e713ffd264b95897d457

    SHA1

    2ee8b70d13603fe5f15635d4c8c3393a650be3cf

    SHA256

    b760a1e6e2a0c2b6ca33434251e19f20e2e3e6e36e2053468a557b8933363be0

    SHA512

    c67b3f79531f70e756700ecd8411d36dd4628d539531cb7ae9cf1dab32ddc0f54d5d6ffadd77998b9fd26df90dbe92147270ca84cbd0f5787170ba7c4e1976e0

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    126c9672848bac8050f8f63b4afbe3c5

    SHA1

    58cdefde08ff84b453eb5a1d42d00370ff8b8dc8

    SHA256

    1678b5c311334253be5678d5986bae53b61f0a061fb4ea3c63a4d9b64e5ecf9f

    SHA512

    6d771799118363a7d4358354db59ca2f3f6f430c342a0d9f54e2d5d65b33586a2d6cbb34ea535e0403a3d890e593ab9bd8fd4043a9ecb7c2b0db61934330ef7d

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    273fa494b1275bde1cbf2ad82b6b8c14

    SHA1

    f32c6e8d0f29ab44cf995bc38df9ec1cb3fd4c12

    SHA256

    639b9fb475e945c8f64b09aa97ed45b6c9ddc9992e267a5eaecad9cf0dd2808d

    SHA512

    92c9819cc378766a2cd1c3b3f810ae81244a2224cbc6034f7118ec3d578f5814ad1d523beda16b48eb8d2d0368d59400c4ed89b52be505f55be3f298e23f8a94

    Download Submit
  • C:\ProgramData\siyrcpf.html
    MD5

    fe807332938c236f20534b90979dd8da

    SHA1

    1fa39d0a08a893a1611993a3cc21197659817b94

    SHA256

    4b3b9ddfb356728896239bd04f7fc13f830b35dc49135c817f7627b6b4e1f2e6

    SHA512

    86b68070e1b7cae03332fa280cd8ae6e70c4894a539e3c3f4d6b487e17cdd49b10bfc7d59eafa99225ced7bbd32d28ca8cbc4807caf9ee5fd381dc87367906c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    45ec8fc71ee99d25db903a68ca7f5ec3

    SHA1

    d460fc45d2355d352e60c1e95b0156f69487372e

    SHA256

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

    SHA512

    85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    45ec8fc71ee99d25db903a68ca7f5ec3

    SHA1

    d460fc45d2355d352e60c1e95b0156f69487372e

    SHA256

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

    SHA512

    85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    45ec8fc71ee99d25db903a68ca7f5ec3

    SHA1

    d460fc45d2355d352e60c1e95b0156f69487372e

    SHA256

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

    SHA512

    85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    45ec8fc71ee99d25db903a68ca7f5ec3

    SHA1

    d460fc45d2355d352e60c1e95b0156f69487372e

    SHA256

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

    SHA512

    85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    45ec8fc71ee99d25db903a68ca7f5ec3

    SHA1

    d460fc45d2355d352e60c1e95b0156f69487372e

    SHA256

    d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab

    SHA512

    85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.oidgvle
    MD5

    bae7adf938e0d256512bfa1d79da579b

    SHA1

    6e10b81d6fd3360ea617263dd44baadca3e45380

    SHA256

    8141a8486449863312d381d0f4f99ebd7075bae4bb3b0a247f059647f2a7a290

    SHA512

    cc8612ae053cfa8cf90b29224d928355f121a16a39d54ed45a7647a6591c0af580189496606f49c09df2a399395d0c636a03b5d04ca69c2a706c961a0ab97fc2

    Download Submit
  • memory/348-117-0x0000000000400000-0x00000000004A5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/348-121-0x0000000000970000-0x0000000000BBB000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/348-120-0x0000000000400000-0x00000000004A4400-memory.dmp
    Filesize

    657KB

    Download
  • memory/348-119-0x0000000000750000-0x000000000096A000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/348-118-0x000000000042CD47-mapping.dmp
    Download
  • memory/568-114-0x0000000000830000-0x0000000001133000-memory.dmp
    Filesize

    9.0MB

    Download
  • memory/696-131-0x0000000009990000-0x0000000009A07000-memory.dmp
    Filesize

    476KB

    Download
  • memory/1148-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2136-145-0x000000000042CD47-mapping.dmp
    Download
  • memory/2240-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4032-130-0x0000000000A80000-0x0000000000CCB000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/4032-127-0x000000000042CD47-mapping.dmp
    Download