ctblocker | bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

Analysis

max time kernel
151s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
Size

788KB
MD5

40ce00566109565d499b53a150716303
SHA1

c2decc8da4ea7f18236f7581130515bb378c21da
SHA256

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA512

8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-tfpixtg.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. ZSLHVVV-BPVO7NC-JAQ2QDZ-F3UNXAX-CLIHAE4-XR4LCR7-ETUGKIF-PE6KUJM XWKIYUO-YCYUXYJ-56I5CC3-F5MJD6Z-DNBXD62-ML2S6IM-TRNVJL2-EK2XRUU J2KPZKJ-BKAOGQ3-JFAUN5V-VVX776C-LDABEGQ-A4LON7N-VUC5ULS-VNLP3LN Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\ProgramData\kwivvrl.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

pwqidta.exepwqidta.exepwqidta.exepwqidta.exe

pid process

2728 pwqidta.exe
3748 pwqidta.exe
2728 pwqidta.exe
2256 pwqidta.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\InitializeExit.CRW.tfpixtg svchost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pwqidta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation pwqidta.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

pid	process
2728	pwqidta.exe
3748	pwqidta.exe
2728	pwqidta.exe
2256	pwqidta.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\InitializeExit.CRW.tfpixtg	svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	pwqidta.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 8 IoCs

Processes:

pwqidta.exepwqidta.exepwqidta.exe

description	ioc	process
File created	C:\Windows\SysWOW64\x\system.pif	pwqidta.exe
File created	C:\Windows\SysWOW64\x\system.pif	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	pwqidta.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-tfpixtg.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exe

description	pid	process	target process
PID 3736 set thread context of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 2728 set thread context of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 set thread context of 2256	2728	pwqidta.exe	pwqidta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2756 vssadmin.exe

pid	process
2756	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

pwqidta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pwqidta.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU	pwqidta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	pwqidta.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pwqidta.exe

Modifies data under HKEY_USERS 25 IoCs

Processes:

svchost.exepwqidta.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\pwqidta\Recent File List	pwqidta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320036003600640031006300610034002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\pwqidta	pwqidta.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\MaxCapacity = "15150"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications	pwqidta.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\pwqidta\Settings	pwqidta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exebb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exepwqidta.exe

pid	process
3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
1468	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
1468	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
2728	pwqidta.exe
2728	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
3748	pwqidta.exe
2728	pwqidta.exe
2728	pwqidta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

pid	process
3052	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

pwqidta.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3748	pwqidta.exe
Token: SeDebugPrivilege	3748	pwqidta.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pwqidta.exe

pid process

2256 pwqidta.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pwqidta.exe

pid process

2256 pwqidta.exe

pid	process
2256	pwqidta.exe

pid	process
2256	pwqidta.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exepwqidta.exe

pid	process
3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
2728	pwqidta.exe
2728	pwqidta.exe
2256	pwqidta.exe
2256	pwqidta.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exepwqidta.exe

description	pid	process	target process
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 3736 wrote to memory of 1468	3736	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe	bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 3748	2728	pwqidta.exe	pwqidta.exe
PID 3748 wrote to memory of 716	3748	pwqidta.exe	svchost.exe
PID 3748 wrote to memory of 3052	3748	pwqidta.exe	Explorer.EXE
PID 3748 wrote to memory of 2756	3748	pwqidta.exe	vssadmin.exe
PID 3748 wrote to memory of 2756	3748	pwqidta.exe	vssadmin.exe
PID 3748 wrote to memory of 2756	3748	pwqidta.exe	vssadmin.exe
PID 3748 wrote to memory of 2728	3748	pwqidta.exe	pwqidta.exe
PID 3748 wrote to memory of 2728	3748	pwqidta.exe	pwqidta.exe
PID 3748 wrote to memory of 2728	3748	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe
PID 2728 wrote to memory of 2256	2728	pwqidta.exe	pwqidta.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
PID:716

C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:2756

C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2256

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOPrivate\hmvkwmb
MD5
e39708d8e9ba5a7c81058ed879c45d2a

SHA1
cf63a01f0e19a91a842234edcc41309d03780c10

SHA256
f1f435c67a184a9a78130a2b507369a20df8d0732b8a5d2e0ec3dc9ad16aa36f

SHA512
396fac9c9f14365f96656f40abd08c8be1fbbc82cef75f604cd33857a1da26f41aa89cd121a3d03281da2d34c7e04fe4ee51bd2b8b6653f032d2e7ed95d15c4b

Download Submit
C:\ProgramData\USOPrivate\hmvkwmb
MD5
e39708d8e9ba5a7c81058ed879c45d2a

SHA1
cf63a01f0e19a91a842234edcc41309d03780c10

SHA256
f1f435c67a184a9a78130a2b507369a20df8d0732b8a5d2e0ec3dc9ad16aa36f

SHA512
396fac9c9f14365f96656f40abd08c8be1fbbc82cef75f604cd33857a1da26f41aa89cd121a3d03281da2d34c7e04fe4ee51bd2b8b6653f032d2e7ed95d15c4b

Download Submit
C:\ProgramData\USOPrivate\hmvkwmb
MD5
e62ad7367e301415d6b1c65bad0361c6

SHA1
0c94f6196ad539eb94a3fd201c2d3f81ffc6e9d3

SHA256
4d34a2ac717d00af89b67afb4302c3db0c30d20c7a52dc446314844d8e80403f

SHA512
7c71eda1e0ae3968376a5067e85758dfbb3368ff6181a0567d804f40747224997bc6b515395ff90861d59164bd33c95e60dc183482e6b26ea70c85439cf726d8

Download Submit
C:\ProgramData\USOPrivate\hmvkwmb
MD5
15ffa8de86e4d30e439620eb28651040

SHA1
f34466b3e30d96732683a01c5a79e4c15c18d363

SHA256
aaeea164d833760f281fdcbc17a08992839a43dca5e9204aa828dad85f69e814

SHA512
07314214bbdfe34a97285840dc39b36f545036fcb8692cd2ef62e593b37f4785c3f6af312889214f2d79f044ef15dabeaa788bb7392c4ddd95d5ebc737744f91

Download Submit
C:\ProgramData\USOPrivate\hmvkwmb
MD5
cfe49bf12375964d251ad351c18e6b65

SHA1
e4214de06093281b16176dac906926bc82d7d1ab

SHA256
5e162b2a3d1f1d1204e1b8e0c2cf0380234adf18f6abae492e4bb126e7e30902

SHA512
42b78d1ba4bd42c9681ea71bb123630aec9b4c9ee26e877f107af8c208ba21a9798c9b3d5b3dcb828e82da51dc9aef1e36d0728df2c3e640ba37a1f149daad18

Download Submit
C:\ProgramData\kwivvrl.html
MD5
a572ca991c9a594a12566b75b330aa37

SHA1
8393edaa135eda8a8a859fb6e8b2b4de633407ec

SHA256
ba7e2b30dbcffe791d2668e4141c747b66fed219ac2222bab7142ddb5b51a40a

SHA512
84278935e8df9a35e38cc182e6540799076e42cfe10fa1da3857134ca25145ac128603a928f069da47aaa4513a5e317aef3479ea9811b49d3f2dbda78fe4456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
40ce00566109565d499b53a150716303

SHA1
c2decc8da4ea7f18236f7581130515bb378c21da

SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21

SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c

Download Submit
memory/716-127-0x0000000006AE0000-0x0000000006B57000-memory.dmp

Filesize
476KB

Download
memory/1468-114-0x0000000000400000-0x0000000004429000-memory.dmp

Filesize
64.2MB

Download
memory/1468-121-0x0000000000400000-0x00000000004A4400-memory.dmp

Filesize
657KB

Download
memory/1468-118-0x00000000048C0000-0x0000000004B0B000-memory.dmp

Filesize
2.3MB

Download
memory/1468-117-0x00000000046A0000-0x00000000048BA000-memory.dmp

Filesize
2.1MB

Download
memory/1468-116-0x000000000042CD47-mapping.dmp

Download
memory/2256-142-0x0000000004950000-0x0000000004B9B000-memory.dmp

Filesize
2.3MB

Download
memory/2256-139-0x000000000042CD47-mapping.dmp

Download
memory/2728-138-0x0000000000620000-0x0000000000625000-memory.dmp

Filesize
20KB

Download
memory/2728-135-0x0000000000000000-mapping.dmp

Download
memory/2756-133-0x0000000000000000-mapping.dmp

Download
memory/3736-115-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/3748-123-0x000000000042CD47-mapping.dmp

Download
memory/3748-126-0x0000000004880000-0x0000000004ACB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads