Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
Resource
win10v20210408
General
-
Target
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
-
Size
654KB
-
MD5
2452df8493c85994e7fe0f42e664999e
-
SHA1
0ed37c982134aa703837f38bea0549e70c29bccb
-
SHA256
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
-
SHA512
132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-dmzevle.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\siyrcpf.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
gvpesyf.exegvpesyf.exepid process 4000 gvpesyf.exe 2152 gvpesyf.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MergeTrace.RAW.dmzevle svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\EnableUnlock.CRW.dmzevle svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gvpesyf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation gvpesyf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
gvpesyf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gvpesyf.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-dmzevle.bmp" Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3712 vssadmin.exe -
Processes:
gvpesyf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU gvpesyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" gvpesyf.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch gvpesyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" gvpesyf.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\MaxCapacity = "15150" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640030003500630066006300340061002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exegvpesyf.exepid process 640 88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe 640 88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe 4000 gvpesyf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
gvpesyf.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4000 gvpesyf.exe Token: SeDebugPrivilege 4000 gvpesyf.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
gvpesyf.exepid process 2152 gvpesyf.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
gvpesyf.exepid process 2152 gvpesyf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
gvpesyf.exepid process 2152 gvpesyf.exe 2152 gvpesyf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
gvpesyf.exedescription pid process target process PID 4000 wrote to memory of 716 4000 gvpesyf.exe svchost.exe PID 4000 wrote to memory of 3092 4000 gvpesyf.exe Explorer.EXE PID 4000 wrote to memory of 3712 4000 gvpesyf.exe vssadmin.exe PID 4000 wrote to memory of 3712 4000 gvpesyf.exe vssadmin.exe PID 4000 wrote to memory of 3712 4000 gvpesyf.exe vssadmin.exe PID 4000 wrote to memory of 2152 4000 gvpesyf.exe gvpesyf.exe PID 4000 wrote to memory of 2152 4000 gvpesyf.exe gvpesyf.exe PID 4000 wrote to memory of 2152 4000 gvpesyf.exe gvpesyf.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe"C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeC:\Users\Admin\AppData\Local\Temp\gvpesyf.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all2⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\kqqzngiMD5
a069e25356db8a20cd227b4a1e7fd51a
SHA13ff4a0ed65170d691f66d3c7859f4afecae3b395
SHA256b065385f59aa7c7fdd3cba995a9a92c17dba7cabf6cdf9304f2e3ee84629a987
SHA51266ea00499bd3e1e7f2652435feb70eef59e5ae67cc7c3f497e5c4748371d90db92c49e13a06b59602192ca364f937f98971ea73290a814448932e01c5970fcac
-
C:\ProgramData\USOPrivate\kqqzngiMD5
3f270f199adc879688bf8e7ec3da36b1
SHA18b88eb03f201f0de0e1a6f3ff729866b40427fb8
SHA256e306949bd67309311c0d7d05d53c0e8d4bd354d9e82db92a8f9b7b1586cae613
SHA512a2f2957ac49ad8f7b1bc27594bf656f06fce127a636ab8b8fc0429491f3893e0975bd6203dbd42f15f05e9c779a6de53da5a1ce6a5d99271c81cc799c13ab691
-
C:\ProgramData\USOPrivate\kqqzngiMD5
07237eea917caeb32b9e2aff964c2758
SHA1a3495cb3acb79b7e318dc5b815433dac63ec9aee
SHA2561358a9e81a784f72f9dbcdafb19ab3067329d0886b1ef91d85f7b04097eb794d
SHA512bbf48f256632cf514304decb0c8f9ec82125bf4a612506f94f8fe81d193e08c54fa417ed02feabed97d7763d499542f5af401166a5f0ca0eae53ba205192463d
-
C:\ProgramData\USOPrivate\kqqzngiMD5
b02ddbee9504d67ba0bebc7fe01ed6cd
SHA10256a7d77f624095af7e903ae9ea5260af55f1bb
SHA2567451a104e05e846cf1d911b7ba5fc4a2852146efbde4c4e959fe9e769a1f195e
SHA512ca7f8221c750ef8e640a3dbba099056771a43e701f85ecc1f19f33d9edc9184f404ca93e9feb9502733f5d723ee0152da9b3e4baf0d61fb618439f3d0ea7cd14
-
C:\ProgramData\USOPrivate\kqqzngiMD5
760123c70e05c10aee9cc435cf9bbf71
SHA13708f8aa9a08214233b50f22785d8fc3f5a2f846
SHA25667b3d0b42093b6208372c106c000b5b027607ba6db4904437fb2d17f81668f58
SHA51213c75032c128df404c29429e270864ffe4b471f121acd48b7ecaeb28ba582983bf7a1e79b1c1f7f33993dc938e5a7d20837e6985f2413aa82f29a4e2ac45ecc5
-
C:\ProgramData\siyrcpf.htmlMD5
82f46e3fb5554e22538c70996152fe53
SHA11b09fadc7e9b9e081cbe2b1f35c1747997b47e81
SHA2562ea3a204b48d58cc4776a9a16ed1f6e53c578318f8ee953642aef1b47adfad24
SHA512c8407327839d3a2c82912592dd54a7cd822826b0e23a7bbd854fada9d0b25a878f4c11d493f373e57150fdf2c626905dee1d914c731a9ae09126f4bbec5e5af1
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
2452df8493c85994e7fe0f42e664999e
SHA10ed37c982134aa703837f38bea0549e70c29bccb
SHA25688ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
2452df8493c85994e7fe0f42e664999e
SHA10ed37c982134aa703837f38bea0549e70c29bccb
SHA25688ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
2452df8493c85994e7fe0f42e664999e
SHA10ed37c982134aa703837f38bea0549e70c29bccb
SHA25688ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb
-
memory/640-114-0x0000000001140000-0x000000000135A000-memory.dmpFilesize
2.1MB
-
memory/640-115-0x0000000001360000-0x00000000015AB000-memory.dmpFilesize
2.3MB
-
memory/716-120-0x0000000002CA0000-0x0000000002D17000-memory.dmpFilesize
476KB
-
memory/2152-128-0x0000000000000000-mapping.dmp
-
memory/2152-131-0x0000000001430000-0x000000000167B000-memory.dmpFilesize
2.3MB
-
memory/3712-127-0x0000000000000000-mapping.dmp
-
memory/4000-119-0x0000000001890000-0x0000000001ADB000-memory.dmpFilesize
2.3MB