Overview

overview

10

Static

static

88ae30e10e...le.exe

windows7_x64

10

88ae30e10e...le.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe

  • Size

    654KB

  • MD5

    2452df8493c85994e7fe0f42e664999e

  • SHA1

    0ed37c982134aa703837f38bea0549e70c29bccb

  • SHA256

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

  • SHA512

    132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-dmzevle.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EZ64OF6-HZYLEVK-WU34SHU-EZ2OC7O-4XX3ZOV-4QD2LBI-RJIZD7I-QZMPNHV IMZKW52-X5V3EUX-DZ743GH-FU3E4T6-QSUA4PF-3SRRI5D-3ZMS473-ULTYBD4 LNFEJ2K-CL6AUFR-LPB5YHJ-JR7IA3G-E4BIV44-CY7W3Y3-GDTHBUQ-R7YTKVN Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\siyrcpf.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies data under HKEY_USERS
    PID:716
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
      "C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:640
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows all
      2⤵
      • Interacts with shadow copies
      PID:3712
    • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
      "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    a069e25356db8a20cd227b4a1e7fd51a

    SHA1

    3ff4a0ed65170d691f66d3c7859f4afecae3b395

    SHA256

    b065385f59aa7c7fdd3cba995a9a92c17dba7cabf6cdf9304f2e3ee84629a987

    SHA512

    66ea00499bd3e1e7f2652435feb70eef59e5ae67cc7c3f497e5c4748371d90db92c49e13a06b59602192ca364f937f98971ea73290a814448932e01c5970fcac

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    3f270f199adc879688bf8e7ec3da36b1

    SHA1

    8b88eb03f201f0de0e1a6f3ff729866b40427fb8

    SHA256

    e306949bd67309311c0d7d05d53c0e8d4bd354d9e82db92a8f9b7b1586cae613

    SHA512

    a2f2957ac49ad8f7b1bc27594bf656f06fce127a636ab8b8fc0429491f3893e0975bd6203dbd42f15f05e9c779a6de53da5a1ce6a5d99271c81cc799c13ab691

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    07237eea917caeb32b9e2aff964c2758

    SHA1

    a3495cb3acb79b7e318dc5b815433dac63ec9aee

    SHA256

    1358a9e81a784f72f9dbcdafb19ab3067329d0886b1ef91d85f7b04097eb794d

    SHA512

    bbf48f256632cf514304decb0c8f9ec82125bf4a612506f94f8fe81d193e08c54fa417ed02feabed97d7763d499542f5af401166a5f0ca0eae53ba205192463d

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    b02ddbee9504d67ba0bebc7fe01ed6cd

    SHA1

    0256a7d77f624095af7e903ae9ea5260af55f1bb

    SHA256

    7451a104e05e846cf1d911b7ba5fc4a2852146efbde4c4e959fe9e769a1f195e

    SHA512

    ca7f8221c750ef8e640a3dbba099056771a43e701f85ecc1f19f33d9edc9184f404ca93e9feb9502733f5d723ee0152da9b3e4baf0d61fb618439f3d0ea7cd14

    Download Submit
  • C:\ProgramData\USOPrivate\kqqzngi
    MD5

    760123c70e05c10aee9cc435cf9bbf71

    SHA1

    3708f8aa9a08214233b50f22785d8fc3f5a2f846

    SHA256

    67b3d0b42093b6208372c106c000b5b027607ba6db4904437fb2d17f81668f58

    SHA512

    13c75032c128df404c29429e270864ffe4b471f121acd48b7ecaeb28ba582983bf7a1e79b1c1f7f33993dc938e5a7d20837e6985f2413aa82f29a4e2ac45ecc5

    Download Submit
  • C:\ProgramData\siyrcpf.html
    MD5

    82f46e3fb5554e22538c70996152fe53

    SHA1

    1b09fadc7e9b9e081cbe2b1f35c1747997b47e81

    SHA256

    2ea3a204b48d58cc4776a9a16ed1f6e53c578318f8ee953642aef1b47adfad24

    SHA512

    c8407327839d3a2c82912592dd54a7cd822826b0e23a7bbd854fada9d0b25a878f4c11d493f373e57150fdf2c626905dee1d914c731a9ae09126f4bbec5e5af1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    2452df8493c85994e7fe0f42e664999e

    SHA1

    0ed37c982134aa703837f38bea0549e70c29bccb

    SHA256

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

    SHA512

    132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    2452df8493c85994e7fe0f42e664999e

    SHA1

    0ed37c982134aa703837f38bea0549e70c29bccb

    SHA256

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

    SHA512

    132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    MD5

    2452df8493c85994e7fe0f42e664999e

    SHA1

    0ed37c982134aa703837f38bea0549e70c29bccb

    SHA256

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

    SHA512

    132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

    Download Submit
  • memory/640-114-0x0000000001140000-0x000000000135A000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/640-115-0x0000000001360000-0x00000000015AB000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/716-120-0x0000000002CA0000-0x0000000002D17000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2152-128-0x0000000000000000-mapping.dmp
    Download
  • memory/2152-131-0x0000000001430000-0x000000000167B000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3712-127-0x0000000000000000-mapping.dmp
    Download
  • memory/4000-119-0x0000000001890000-0x0000000001ADB000-memory.dmp
    Filesize

    2.3MB

    Download