Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
Resource
win10v2004-20220812-en
General
-
Target
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
-
Size
714KB
-
MD5
6d83d702fad47bf24a04c4b3e2c9d930
-
SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b
-
SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
-
SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
-
SSDEEP
12288:mSuYrHkpL3KyptgMzPez1OkvHj3CfL0PzGJRZLB3LE:X1kpL3KyAWPez1fD3mLIzGvZt3LE
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wmajicl.txt
http://43qzvceo6ondd6wt.onion.cab
http://43qzvceo6ondd6wt.tor2web.org
http://43qzvceo6ondd6wt.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 2 IoCs
Processes:
gejzibk.exegejzibk.exepid process 976 gejzibk.exe 388 gejzibk.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exegejzibk.exedescription pid process target process PID 1880 set thread context of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 976 set thread context of 388 976 gejzibk.exe gejzibk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wmajicl.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wmajicl.bmp svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exegejzibk.exegejzibk.exepid process 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 1984 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 976 gejzibk.exe 388 gejzibk.exe 388 gejzibk.exe 388 gejzibk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gejzibk.exedescription pid process Token: SeDebugPrivilege 388 gejzibk.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exegejzibk.exepid process 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 976 gejzibk.exe 976 gejzibk.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exetaskeng.exegejzibk.exegejzibk.exedescription pid process target process PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1880 wrote to memory of 1984 1880 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe PID 1696 wrote to memory of 976 1696 taskeng.exe gejzibk.exe PID 1696 wrote to memory of 976 1696 taskeng.exe gejzibk.exe PID 1696 wrote to memory of 976 1696 taskeng.exe gejzibk.exe PID 1696 wrote to memory of 976 1696 taskeng.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 976 wrote to memory of 388 976 gejzibk.exe gejzibk.exe PID 388 wrote to memory of 596 388 gejzibk.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe"C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exeC:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Drops file in Program Files directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {034E196F-D4AE-4B17-B266-3A49E64EBF08} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeC:\Users\Admin\AppData\Local\Temp\gejzibk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeC:\Users\Admin\AppData\Local\Temp\gejzibk.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\qrsyuslFilesize
654B
MD5c43fd3c7ad31d69af2f0c77a97a1f9c6
SHA13c9cf858aa095239fe40cc876cd4a3c8fb43d4cf
SHA25629d6ed797d42a997bfff44fb533a08e3ebd14b9abf38f4d7e7c2b9ef8c38583a
SHA512c6b65b1f6c09506aa8e0e5187bfa158e579a08eca3d3b1734008210cf8906fae77e0dc1e9bfc29553e09a9b8d3a094ee8544b23b484790e992ff0b7f247d2b8d
-
C:\ProgramData\Microsoft\qrsyuslFilesize
654B
MD5c43fd3c7ad31d69af2f0c77a97a1f9c6
SHA13c9cf858aa095239fe40cc876cd4a3c8fb43d4cf
SHA25629d6ed797d42a997bfff44fb533a08e3ebd14b9abf38f4d7e7c2b9ef8c38583a
SHA512c6b65b1f6c09506aa8e0e5187bfa158e579a08eca3d3b1734008210cf8906fae77e0dc1e9bfc29553e09a9b8d3a094ee8544b23b484790e992ff0b7f247d2b8d
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
714KB
MD56d83d702fad47bf24a04c4b3e2c9d930
SHA1e706a46e3bbb821e8f4aec1f3e488be1504b855b
SHA2568c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
SHA51262cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
714KB
MD56d83d702fad47bf24a04c4b3e2c9d930
SHA1e706a46e3bbb821e8f4aec1f3e488be1504b855b
SHA2568c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
SHA51262cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
714KB
MD56d83d702fad47bf24a04c4b3e2c9d930
SHA1e706a46e3bbb821e8f4aec1f3e488be1504b855b
SHA2568c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
SHA51262cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
-
memory/388-83-0x0000000028940000-0x0000000028B8B000-memory.dmpFilesize
2.3MB
-
memory/388-78-0x0000000000401FA3-mapping.dmp
-
memory/596-86-0x00000000005D0000-0x0000000000647000-memory.dmpFilesize
476KB
-
memory/596-84-0x00000000005D0000-0x0000000000647000-memory.dmpFilesize
476KB
-
memory/976-69-0x0000000000000000-mapping.dmp
-
memory/1880-54-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1880-63-0x0000000000300000-0x0000000000304000-memory.dmpFilesize
16KB
-
memory/1984-60-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1984-58-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1984-67-0x0000000028BE0000-0x0000000028E2B000-memory.dmpFilesize
2.3MB
-
memory/1984-61-0x0000000000401FA3-mapping.dmp
-
memory/1984-65-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/1984-64-0x00000000289C0000-0x0000000028BDA000-memory.dmpFilesize
2.1MB
-
memory/1984-57-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1984-55-0x00000000001B0000-0x00000000002AA000-memory.dmpFilesize
1000KB