ctblocker | bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

Analysis

max time kernel
150s
max time network
64s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
Size

788KB
MD5

40ce00566109565d499b53a150716303
SHA1

c2decc8da4ea7f18236f7581130515bb378c21da
SHA256

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA512

8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qgsajrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. N6Y2EZ5-QBVNEQ3-TX7UTYE-O4GZ54A-7W5E2HT-QOQVUNN-GLLMDLJ-AIKRRVN 52JAWPM-W2KRJQD-EWMUPQP-UVO5UTR-HLU4Z2Q-TJHOXLH-J7AVDYX-DPLBTRN SPYLXGP-HSCPOJN-F2IYVHA-YDPJMFJ-HDLZRER-RHHIT4M-A5BEEYI-2I4TQS7 Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-qgsajrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. N6Y2EZ5-QBVNEQ3-TX7UTYE-O4GZ54A-7W5E2HT-QOQVUNN-GLLMDLJ-AIKRRVN 52JAWPM-W2KRJQD-EWMUPQP-UVO5UTR-HLU4Z2Q-TJHOXLH-J7AVDYX-DPLBTRN SPYLXGP-HSCPOJN-F2IYVHA-YDPJMFJ-HDLZLWR-B5HIT4M-A5BEEYI-2I4T43Y Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\ProgramData\ummcbbc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

exusltb.exeexusltb.exeexusltb.exeexusltb.exe

pid process

612 exusltb.exe
1700 exusltb.exe
788 exusltb.exe
1688 exusltb.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GrantUndo.RAW.qgsajrd svchost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

exusltb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

pid	process
612	exusltb.exe
1700	exusltb.exe
788	exusltb.exe
1688	exusltb.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GrantUndo.RAW.qgsajrd	svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	exusltb.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

exusltb.exeexusltb.exeexusltb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\x\system.pif	exusltb.exe
File created	C:\Windows\SysWOW64\x\system.pif	exusltb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	exusltb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-qgsajrd.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exeexusltb.exeexusltb.exe

description	pid	process	target process
PID 1668 set thread context of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 612 set thread context of 1700	612	exusltb.exe	exusltb.exe
PID 788 set thread context of 1688	788	exusltb.exe	exusltb.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qgsajrd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qgsajrd.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1232 vssadmin.exe

pid	process
1232	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

exusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exusltb.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	exusltb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	exusltb.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

svchost.exeexusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\exusltb\Recent File List	exusltb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications	exusltb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\exusltb	exusltb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\exusltb\Settings	exusltb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exebb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exeexusltb.exeexusltb.exeexusltb.exe

pid	process
1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
1516	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
612	exusltb.exe
1700	exusltb.exe
1700	exusltb.exe
1700	exusltb.exe
1700	exusltb.exe
1700	exusltb.exe
788	exusltb.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

exusltb.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1700	exusltb.exe
Token: SeDebugPrivilege	1700	exusltb.exe
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1688 exusltb.exe
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1688 exusltb.exe
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exeexusltb.exeexusltb.exeexusltb.exe

pid process

1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
612 exusltb.exe
788 exusltb.exe
1688 exusltb.exe
1688 exusltb.exe

pid	process
1688	exusltb.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

pid	process
1688	exusltb.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exetaskeng.exeexusltb.exeexusltb.exesvchost.exeexusltb.exe

description	pid	process	target process
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1668 wrote to memory of 1516	1668	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 1796 wrote to memory of 612	1796	taskeng.exe	exusltb.exe
PID 1796 wrote to memory of 612	1796	taskeng.exe	exusltb.exe
PID 1796 wrote to memory of 612	1796	taskeng.exe	exusltb.exe
PID 1796 wrote to memory of 612	1796	taskeng.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 612 wrote to memory of 1700	612	exusltb.exe	exusltb.exe
PID 1700 wrote to memory of 584	1700	exusltb.exe	svchost.exe
PID 584 wrote to memory of 620	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 620	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 620	584	svchost.exe	DllHost.exe
PID 1700 wrote to memory of 1292	1700	exusltb.exe	Explorer.EXE
PID 1700 wrote to memory of 1232	1700	exusltb.exe	vssadmin.exe
PID 1700 wrote to memory of 1232	1700	exusltb.exe	vssadmin.exe
PID 1700 wrote to memory of 1232	1700	exusltb.exe	vssadmin.exe
PID 1700 wrote to memory of 1232	1700	exusltb.exe	vssadmin.exe
PID 1700 wrote to memory of 788	1700	exusltb.exe	exusltb.exe
PID 1700 wrote to memory of 788	1700	exusltb.exe	exusltb.exe
PID 1700 wrote to memory of 788	1700	exusltb.exe	exusltb.exe
PID 1700 wrote to memory of 788	1700	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 788 wrote to memory of 1688	788	exusltb.exe	exusltb.exe
PID 584 wrote to memory of 1724	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1724	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1724	584	svchost.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {857F759E-7448-460E-9BBC-FA7BA45A59CA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1232

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\grnkdai
MD5
38b2a008cf7af5973b89ab3e9d55ea36

SHA1
062a0e84885acb98deb6af39266b395cbb42985c

SHA256
3ba3ef8700f9cdecd9d2e1dffdaa400c9f458f5335ff0e24507f3310236d71b3

SHA512
fa10b2ff9f9ac45fda2652bcd2bca05c3b1d03a51ec8872d82d0fdba42a3ec2a3e120d55d0f344b7e92a35cd04c2a11673c31fd347f7d77a0afd5883fb00ab15

Download Submit
C:\ProgramData\Microsoft\grnkdai
MD5
38b2a008cf7af5973b89ab3e9d55ea36

SHA1
062a0e84885acb98deb6af39266b395cbb42985c

SHA256
3ba3ef8700f9cdecd9d2e1dffdaa400c9f458f5335ff0e24507f3310236d71b3

SHA512
fa10b2ff9f9ac45fda2652bcd2bca05c3b1d03a51ec8872d82d0fdba42a3ec2a3e120d55d0f344b7e92a35cd04c2a11673c31fd347f7d77a0afd5883fb00ab15

Download Submit
C:\ProgramData\Microsoft\grnkdai
MD5
6ddf8bbc2cb97d93ff4c14c8e0c38405

SHA1
8de44461242eef1423ab98d6c2ffc612fdda2b1e

SHA256
629cb859a347ce415e8dee86eb195b2f59fc09cb42c38b889d920368f1ebea22

SHA512
9fce8f0c4c84347cad9c623a53e778d34d138d7806181e93a5076f3f82a356059d047a8f340a8f06f10f3963429022a4103abcc6aafbcfe7a6e4987e6f1369ba

Download Submit
C:\ProgramData\Microsoft\grnkdai
MD5
8fa346c7847f012452d34a36bdefdb54

SHA1
17b7ed238f7c918b7768f2ed5519045427576094

SHA256
fbe6a805bedd788835eeac2f9fe9bc2abb3c5b5959298f13ddc8df3f3e4b5117

SHA512
adb4329b545e05e076101d499205ebbd0482583c643530f7376b0c4b3b137cf1fc862810b5837f1e8f0ca33a961bd7ca95f0c2f72a9999f6eb100ec282a1113b

Download Submit
C:\ProgramData\ummcbbc.html
MD5
e214a0677050a52d9731d61b8880286c

SHA1
33aa2cbd165ae282658d9c6a03fc91f338510f63

SHA256
a47755786a13906684e906e072258f510f0d19571fb82af64075a7f183cf70f6

SHA512
1747eb5d8eec482ac398328c32b5e5cb54cb03ca3c6765ef60281486500aead3d1242e4f1039b15586c95a7f9a025e06cfc80c9ea8debdf1037233ecea1bc2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
memory/584-78-0x0000000000270000-0x00000000002E7000-memory.dmp

Filesize
476KB

Download
memory/584-82-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download
memory/612-69-0x0000000000000000-mapping.dmp

Download
memory/620-81-0x0000000000000000-mapping.dmp

Download
memory/788-87-0x0000000000000000-mapping.dmp

Download
memory/1232-86-0x0000000000000000-mapping.dmp

Download
memory/1516-65-0x0000000000400000-0x00000000004A4400-memory.dmp

Filesize
657KB

Download
memory/1516-67-0x00000000047D0000-0x0000000004A1B000-memory.dmp

Filesize
2.3MB

Download
memory/1516-61-0x0000000000400000-0x0000000004429000-memory.dmp

Filesize
64.2MB

Download
memory/1516-63-0x00000000045B0000-0x00000000047CA000-memory.dmp

Filesize
2.1MB

Download
memory/1516-62-0x000000000042CD47-mapping.dmp

Download
memory/1668-64-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/1668-60-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1688-91-0x000000000042CD47-mapping.dmp

Download
memory/1688-95-0x0000000004A70000-0x0000000004CBB000-memory.dmp

Filesize
2.3MB

Download
memory/1688-97-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1700-73-0x000000000042CD47-mapping.dmp

Download
memory/1700-77-0x0000000004B70000-0x0000000004DBB000-memory.dmp

Filesize
2.3MB

Download
memory/1724-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads