Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
Resource
win10v20210408
General
-
Target
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
-
Size
654KB
-
MD5
2452df8493c85994e7fe0f42e664999e
-
SHA1
0ed37c982134aa703837f38bea0549e70c29bccb
-
SHA256
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
-
SHA512
132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-tixksrn.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\sctpnha.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
sdfkjhe.exesdfkjhe.exepid process 1664 sdfkjhe.exe 1536 sdfkjhe.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\BlockRevoke.CRW.tixksrn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GetSkip.RAW.tixksrn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\BackupClose.CRW.tixksrn svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sdfkjhe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation sdfkjhe.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
sdfkjhe.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat sdfkjhe.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-tixksrn.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 756 vssadmin.exe -
Processes:
sdfkjhe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main sdfkjhe.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch sdfkjhe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" sdfkjhe.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640065003900650062006100650034002d0039003800390064002d0031003100650062002d0062003400650036002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{de9ebae4-989d-11eb-b4e6-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exesdfkjhe.exepid process 1972 88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe 1664 sdfkjhe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
sdfkjhe.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1664 sdfkjhe.exe Token: SeDebugPrivilege 1664 sdfkjhe.exe Token: SeShutdownPrivilege 1352 Explorer.EXE Token: 33 1228 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1228 AUDIODG.EXE Token: 33 1228 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1228 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
sdfkjhe.exepid process 1536 sdfkjhe.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
sdfkjhe.exepid process 1536 sdfkjhe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sdfkjhe.exepid process 1536 sdfkjhe.exe 1536 sdfkjhe.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
taskeng.exesdfkjhe.exesvchost.exedescription pid process target process PID 832 wrote to memory of 1664 832 taskeng.exe sdfkjhe.exe PID 832 wrote to memory of 1664 832 taskeng.exe sdfkjhe.exe PID 832 wrote to memory of 1664 832 taskeng.exe sdfkjhe.exe PID 832 wrote to memory of 1664 832 taskeng.exe sdfkjhe.exe PID 1664 wrote to memory of 584 1664 sdfkjhe.exe svchost.exe PID 584 wrote to memory of 928 584 svchost.exe DllHost.exe PID 584 wrote to memory of 928 584 svchost.exe DllHost.exe PID 584 wrote to memory of 928 584 svchost.exe DllHost.exe PID 1664 wrote to memory of 1352 1664 sdfkjhe.exe Explorer.EXE PID 1664 wrote to memory of 756 1664 sdfkjhe.exe vssadmin.exe PID 1664 wrote to memory of 756 1664 sdfkjhe.exe vssadmin.exe PID 1664 wrote to memory of 756 1664 sdfkjhe.exe vssadmin.exe PID 1664 wrote to memory of 756 1664 sdfkjhe.exe vssadmin.exe PID 1664 wrote to memory of 1536 1664 sdfkjhe.exe sdfkjhe.exe PID 1664 wrote to memory of 1536 1664 sdfkjhe.exe sdfkjhe.exe PID 1664 wrote to memory of 1536 1664 sdfkjhe.exe sdfkjhe.exe PID 1664 wrote to memory of 1536 1664 sdfkjhe.exe sdfkjhe.exe PID 584 wrote to memory of 1240 584 svchost.exe DllHost.exe PID 584 wrote to memory of 1240 584 svchost.exe DllHost.exe PID 584 wrote to memory of 1240 584 svchost.exe DllHost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe"C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {AE5E5EE5-E5B7-40A9-8F55-1D91AE8E4012} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exeC:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe"C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2201⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\retmfqfMD5
131163676e8a6bcef5b3b3498c7571a8
SHA1d7496acbfdb7dc0aab9dea2010474d47a32c4e53
SHA256cdbcf04e52ed123c0a06208e6e475673697604e432690d68cb259c99f633c449
SHA51238b7f97e387b45cf28cd238fad29f91d22fe6097e932ff7bd367a81015e26bed863b840ad1771213de6a63459d2caefa21165eec7c1b548907d53c65d44d1314
-
C:\ProgramData\Microsoft Help\retmfqfMD5
131163676e8a6bcef5b3b3498c7571a8
SHA1d7496acbfdb7dc0aab9dea2010474d47a32c4e53
SHA256cdbcf04e52ed123c0a06208e6e475673697604e432690d68cb259c99f633c449
SHA51238b7f97e387b45cf28cd238fad29f91d22fe6097e932ff7bd367a81015e26bed863b840ad1771213de6a63459d2caefa21165eec7c1b548907d53c65d44d1314
-
C:\ProgramData\Microsoft Help\retmfqfMD5
8291f1544199cfa53fb2d9c0dc6e81a8
SHA12cf09f4488841419c97fdcb3cb6a567715fff2af
SHA256c5cb2792960bef3c280afb22f489c0d7d5b0785f6c8329dc8e1dbae9cc701b26
SHA512939191ebb60bdad7a75663a9a37c86e385cf609b898b29d59549323917ff95f307871033869defb917d2663ef97219674192e008ce987eb983fc49957c884482
-
C:\ProgramData\Microsoft Help\retmfqfMD5
8291f1544199cfa53fb2d9c0dc6e81a8
SHA12cf09f4488841419c97fdcb3cb6a567715fff2af
SHA256c5cb2792960bef3c280afb22f489c0d7d5b0785f6c8329dc8e1dbae9cc701b26
SHA512939191ebb60bdad7a75663a9a37c86e385cf609b898b29d59549323917ff95f307871033869defb917d2663ef97219674192e008ce987eb983fc49957c884482
-
C:\ProgramData\sctpnha.htmlMD5
35a84d47704ec85c8ca6374692b57c5a
SHA1259f5d122055ef77ddbe072118c23af8e163d747
SHA25614cfb801c0038568373722117706be032360bc9b9fd1c91bbca144f31af522be
SHA5123e212ea34e45e96cd9242c18b7a86b140b128e2e0bc32bcc041f514ef97320ebff16fadcd58fe29da56724937abd2e439b54d206f3b245312655477269dee846
-
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exeMD5
2452df8493c85994e7fe0f42e664999e
SHA10ed37c982134aa703837f38bea0549e70c29bccb
SHA25688ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
-
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exeMD5
2452df8493c85994e7fe0f42e664999e
SHA10ed37c982134aa703837f38bea0549e70c29bccb
SHA25688ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
-
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exeMD5
2452df8493c85994e7fe0f42e664999e
SHA10ed37c982134aa703837f38bea0549e70c29bccb
SHA25688ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
-
memory/584-69-0x00000000003D0000-0x0000000000447000-memory.dmpFilesize
476KB
-
memory/584-73-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/756-77-0x0000000000000000-mapping.dmp
-
memory/928-72-0x0000000000000000-mapping.dmp
-
memory/1240-85-0x0000000000000000-mapping.dmp
-
memory/1536-78-0x0000000000000000-mapping.dmp
-
memory/1536-82-0x00000000006A0000-0x00000000008EB000-memory.dmpFilesize
2.3MB
-
memory/1536-83-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1664-68-0x0000000000AC0000-0x0000000000D0B000-memory.dmpFilesize
2.3MB
-
memory/1664-64-0x0000000000000000-mapping.dmp
-
memory/1972-60-0x00000000005E0000-0x00000000007FA000-memory.dmpFilesize
2.1MB
-
memory/1972-62-0x0000000000800000-0x0000000000A4B000-memory.dmpFilesize
2.3MB
-
memory/1972-61-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB