Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
Resource
win10v20210410
General
-
Target
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
-
Size
653KB
-
MD5
b2e27e88dd895d90f19c8d0314662720
-
SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465
-
SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
-
SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yhsgjrd.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-yhsgjrd.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\ProgramData\ummcbbc.html
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
exusltb.exeexusltb.exepid process 1624 exusltb.exe 1184 exusltb.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SplitInstall.CRW.yhsgjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatHide.RAW.yhsgjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertFromExport.RAW.yhsgjrd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
exusltb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
exusltb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat exusltb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-yhsgjrd.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yhsgjrd.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yhsgjrd.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1352 vssadmin.exe -
Processes:
exusltb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exusltb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exusltb.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exusltb.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exeexusltb.exepid process 2000 743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe 1624 exusltb.exe 1624 exusltb.exe 1624 exusltb.exe 1624 exusltb.exe 1624 exusltb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
exusltb.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1624 exusltb.exe Token: SeDebugPrivilege 1624 exusltb.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: 33 940 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 940 AUDIODG.EXE Token: 33 940 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 940 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1184 exusltb.exe 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1184 exusltb.exe 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exusltb.exepid process 1184 exusltb.exe 1184 exusltb.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
taskeng.exeexusltb.exesvchost.exedescription pid process target process PID 1216 wrote to memory of 1624 1216 taskeng.exe exusltb.exe PID 1216 wrote to memory of 1624 1216 taskeng.exe exusltb.exe PID 1216 wrote to memory of 1624 1216 taskeng.exe exusltb.exe PID 1216 wrote to memory of 1624 1216 taskeng.exe exusltb.exe PID 1624 wrote to memory of 584 1624 exusltb.exe svchost.exe PID 584 wrote to memory of 636 584 svchost.exe DllHost.exe PID 584 wrote to memory of 636 584 svchost.exe DllHost.exe PID 584 wrote to memory of 636 584 svchost.exe DllHost.exe PID 1624 wrote to memory of 1260 1624 exusltb.exe Explorer.EXE PID 1624 wrote to memory of 1352 1624 exusltb.exe vssadmin.exe PID 1624 wrote to memory of 1352 1624 exusltb.exe vssadmin.exe PID 1624 wrote to memory of 1352 1624 exusltb.exe vssadmin.exe PID 1624 wrote to memory of 1352 1624 exusltb.exe vssadmin.exe PID 1624 wrote to memory of 1184 1624 exusltb.exe exusltb.exe PID 1624 wrote to memory of 1184 1624 exusltb.exe exusltb.exe PID 1624 wrote to memory of 1184 1624 exusltb.exe exusltb.exe PID 1624 wrote to memory of 1184 1624 exusltb.exe exusltb.exe PID 584 wrote to memory of 1072 584 svchost.exe DllHost.exe PID 584 wrote to memory of 1072 584 svchost.exe DllHost.exe PID 584 wrote to memory of 1072 584 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe"C:\Users\Admin\AppData\Local\Temp\743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {147575DC-6DA4-4A2A-86BF-9514B0CC2F4B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x59c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
5ed779c649dd104ea114a4adee61e18b
SHA18a58a1eed411445183a6258dcd73b8498570c87d
SHA2565b1c599d2dc6373270df17da11d1bfbc4b650876c207dc1ab26ed8272558d726
SHA5125d89af67915e29ed987f4ef8048f294ad8fa66d9d71c818850c876d4088b94e40437c141ebad7247744355a74f7411f78227b3584c4b56ff33297d58f55066d6
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
5ed779c649dd104ea114a4adee61e18b
SHA18a58a1eed411445183a6258dcd73b8498570c87d
SHA2565b1c599d2dc6373270df17da11d1bfbc4b650876c207dc1ab26ed8272558d726
SHA5125d89af67915e29ed987f4ef8048f294ad8fa66d9d71c818850c876d4088b94e40437c141ebad7247744355a74f7411f78227b3584c4b56ff33297d58f55066d6
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
edf1af3a105390eab8e374e4b08ab8dc
SHA161070e991c80d382803791cf18cec706c5fc0c42
SHA25692bfd70b6cf787baabb6e84c45ce5af7970cb3d746136b84f31a8c419a42ac74
SHA5124e1f70823502e75ff7eeff4ecb89f8b532dce97fdf1561f35c2447a39a59e0e2908071a0f20599f9294f86b62977ffb48150a83c8ad8d2f596141840ca291071
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
1dd61beaa89d2089d0064f1b09c389b8
SHA1aa88b7ec074aabb08628af6d942ea6d7eae238d4
SHA256e6a0fe9f93c1d99b5f2634fadbf519daa17699708230d1450aaf4c692279168d
SHA51257f1d0d69a446d263552edb1480da8e6b0c685368a9305c06de437e8c9cee75b5937566ce20f15af38c9925be29bd5d1fd68f98a0264c021403b60c97e37051a
-
C:\ProgramData\ummcbbc.htmlMD5
0529142322bce9b96280cbd74782d8ba
SHA177b7ff7aa39899ee1c54509d186c834797d1f04c
SHA2563521de58f3519d7d1db706db9719f5a31a2d300ed63220cd199dbc2088c4785d
SHA51233bb4829ed7397bade2f37fbacb3380e2df3f2710a6ea410842c3fa7db3c465bf644d1a73124c5eba802d9795f91b7a6307818ea5c12cffd3587efa2c9f5c279
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
b2e27e88dd895d90f19c8d0314662720
SHA1cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA51285c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
b2e27e88dd895d90f19c8d0314662720
SHA1cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA51285c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
b2e27e88dd895d90f19c8d0314662720
SHA1cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA51285c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2
-
memory/584-73-0x000007FEFB571000-0x000007FEFB573000-memory.dmpFilesize
8KB
-
memory/584-69-0x0000000000440000-0x00000000004B7000-memory.dmpFilesize
476KB
-
memory/636-72-0x0000000000000000-mapping.dmp
-
memory/1072-85-0x0000000000000000-mapping.dmp
-
memory/1184-78-0x0000000000000000-mapping.dmp
-
memory/1184-82-0x0000000000770000-0x00000000009BB000-memory.dmpFilesize
2.3MB
-
memory/1184-84-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1352-77-0x0000000000000000-mapping.dmp
-
memory/1624-68-0x0000000000910000-0x0000000000B5B000-memory.dmpFilesize
2.3MB
-
memory/1624-64-0x0000000000000000-mapping.dmp
-
memory/2000-60-0x0000000000830000-0x0000000000A4A000-memory.dmpFilesize
2.1MB
-
memory/2000-62-0x0000000000A50000-0x0000000000C9B000-memory.dmpFilesize
2.3MB
-
memory/2000-61-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB