ctblocker | 743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

General

Target

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
Size

653KB
MD5

b2e27e88dd895d90f19c8d0314662720
SHA1

cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA512

85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yhsgjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YOTOBQN-TWSXU2L-IYKVCNV-QTBRGIS-AHO56FI-URBGHLU-QH7QQU3-3BOFDFN BOCJP5B-SHPNXOG-FUTYQKB-ALCLDT6-E5ATWYU-UO7ALDR-27IRBFR-TLEYK5U 5XHJVQ5-OP4DYYM-PCA23YW-LZMXLKE-ASGG737-BZY3DX6-YF63JQN-AUOEI25 Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-yhsgjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YOTOBQN-TWSXU2L-IYKVCNV-QTBRGIS-AHO56FI-URBGHLU-QH7QQU3-3BOFDFN BOCJP5B-SHPNXOG-FUTYQKB-ALCLDT6-E5ATWYU-UO7ALDR-27IRBFR-TLEYK5U 5XHJVQ5-OP4DYYM-PCA23YW-LZMXLKE-ASGGOJ7-LPY3DX6-YF63JQN-AUOUKA6 Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\ProgramData\ummcbbc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

exusltb.exeexusltb.exe

pid process

1624 exusltb.exe
1184 exusltb.exe

pid	process
1624	exusltb.exe
1184	exusltb.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SplitInstall.CRW.yhsgjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatHide.RAW.yhsgjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertFromExport.RAW.yhsgjrd	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

exusltb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	exusltb.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

exusltb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	exusltb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-yhsgjrd.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yhsgjrd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yhsgjrd.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1352 vssadmin.exe

pid	process
1352	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

exusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	exusltb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	exusltb.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exusltb.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exeexusltb.exe

pid	process
2000	743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
1624	exusltb.exe
1624	exusltb.exe
1624	exusltb.exe
1624	exusltb.exe
1624	exusltb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE

pid	process
1260	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

exusltb.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1624	exusltb.exe
Token: SeDebugPrivilege	1624	exusltb.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: 33	940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	940	AUDIODG.EXE
Token: 33	940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	940	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1184 exusltb.exe
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1184 exusltb.exe
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exusltb.exe

pid process

1184 exusltb.exe
1184 exusltb.exe

pid	process
1184	exusltb.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1184	exusltb.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1184	exusltb.exe
1184	exusltb.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskeng.exeexusltb.exesvchost.exe

description	pid	process	target process
PID 1216 wrote to memory of 1624	1216	taskeng.exe	exusltb.exe
PID 1216 wrote to memory of 1624	1216	taskeng.exe	exusltb.exe
PID 1216 wrote to memory of 1624	1216	taskeng.exe	exusltb.exe
PID 1216 wrote to memory of 1624	1216	taskeng.exe	exusltb.exe
PID 1624 wrote to memory of 584	1624	exusltb.exe	svchost.exe
PID 584 wrote to memory of 636	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 636	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 636	584	svchost.exe	DllHost.exe
PID 1624 wrote to memory of 1260	1624	exusltb.exe	Explorer.EXE
PID 1624 wrote to memory of 1352	1624	exusltb.exe	vssadmin.exe
PID 1624 wrote to memory of 1352	1624	exusltb.exe	vssadmin.exe
PID 1624 wrote to memory of 1352	1624	exusltb.exe	vssadmin.exe
PID 1624 wrote to memory of 1352	1624	exusltb.exe	vssadmin.exe
PID 1624 wrote to memory of 1184	1624	exusltb.exe	exusltb.exe
PID 1624 wrote to memory of 1184	1624	exusltb.exe	exusltb.exe
PID 1624 wrote to memory of 1184	1624	exusltb.exe	exusltb.exe
PID 1624 wrote to memory of 1184	1624	exusltb.exe	exusltb.exe
PID 584 wrote to memory of 1072	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1072	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1072	584	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260

C:\Users\Admin\AppData\Local\Temp\743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
"C:\Users\Admin\AppData\Local\Temp\743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {147575DC-6DA4-4A2A-86BF-9514B0CC2F4B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:1352

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x59c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\grnkdai
MD5
5ed779c649dd104ea114a4adee61e18b

SHA1
8a58a1eed411445183a6258dcd73b8498570c87d

SHA256
5b1c599d2dc6373270df17da11d1bfbc4b650876c207dc1ab26ed8272558d726

SHA512
5d89af67915e29ed987f4ef8048f294ad8fa66d9d71c818850c876d4088b94e40437c141ebad7247744355a74f7411f78227b3584c4b56ff33297d58f55066d6

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
5ed779c649dd104ea114a4adee61e18b

SHA1
8a58a1eed411445183a6258dcd73b8498570c87d

SHA256
5b1c599d2dc6373270df17da11d1bfbc4b650876c207dc1ab26ed8272558d726

SHA512
5d89af67915e29ed987f4ef8048f294ad8fa66d9d71c818850c876d4088b94e40437c141ebad7247744355a74f7411f78227b3584c4b56ff33297d58f55066d6

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
edf1af3a105390eab8e374e4b08ab8dc

SHA1
61070e991c80d382803791cf18cec706c5fc0c42

SHA256
92bfd70b6cf787baabb6e84c45ce5af7970cb3d746136b84f31a8c419a42ac74

SHA512
4e1f70823502e75ff7eeff4ecb89f8b532dce97fdf1561f35c2447a39a59e0e2908071a0f20599f9294f86b62977ffb48150a83c8ad8d2f596141840ca291071

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
1dd61beaa89d2089d0064f1b09c389b8

SHA1
aa88b7ec074aabb08628af6d942ea6d7eae238d4

SHA256
e6a0fe9f93c1d99b5f2634fadbf519daa17699708230d1450aaf4c692279168d

SHA512
57f1d0d69a446d263552edb1480da8e6b0c685368a9305c06de437e8c9cee75b5937566ce20f15af38c9925be29bd5d1fd68f98a0264c021403b60c97e37051a

Download Submit
C:\ProgramData\ummcbbc.html
MD5
0529142322bce9b96280cbd74782d8ba

SHA1
77b7ff7aa39899ee1c54509d186c834797d1f04c

SHA256
3521de58f3519d7d1db706db9719f5a31a2d300ed63220cd199dbc2088c4785d

SHA512
33bb4829ed7397bade2f37fbacb3380e2df3f2710a6ea410842c3fa7db3c465bf644d1a73124c5eba802d9795f91b7a6307818ea5c12cffd3587efa2c9f5c279

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
memory/584-73-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download
memory/584-69-0x0000000000440000-0x00000000004B7000-memory.dmp

Filesize
476KB

Download
memory/636-72-0x0000000000000000-mapping.dmp

Download
memory/1072-85-0x0000000000000000-mapping.dmp

Download
memory/1184-78-0x0000000000000000-mapping.dmp

Download
memory/1184-82-0x0000000000770000-0x00000000009BB000-memory.dmp

Filesize
2.3MB

Download
memory/1184-84-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1352-77-0x0000000000000000-mapping.dmp

Download
memory/1624-68-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/1624-64-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000000830000-0x0000000000A4A000-memory.dmp

Filesize
2.1MB

Download
memory/2000-62-0x0000000000A50000-0x0000000000C9B000-memory.dmp

Filesize
2.3MB

Download
memory/2000-61-0x0000000075161000-0x0000000075163000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads