ctblocker | 6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495

Analysis

max time kernel
187s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
Size

743KB
MD5

69eb41d973e7c96fe47c381320dfd140
SHA1

e45c2f5e2f74c35beb1a019b708573155f5a17a1
SHA256

6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495
SHA512

5b4a8bf698640d7a25b9b6bdf1b9d73e9c99593c307c2f416b07bc1e9ea70091327cd6afcd5f5717a7f0160c1a46832d79ff4b1e4d1a45113f3f6d986fa88b52
SSDEEP

12288:zogZILd4+csZJQNtUbu+jlkB9XwN6qZvbU5+fXKQbX48KfVko93LYtZtq:zog84MJyUqXwjZvc+fa0Kfzos

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-chldicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. DLCWUVP-2JDG2RV-E5JX323-JVS22YN-LK7CLUE-JSDBFXI-BCC4YOK-SSCADGZ RYFXYWF-UDPKLYW-2GUDTPN-P5UXNYI-E6GOZQG-U3GHNPF-3ERNJCJ-S7VDRQZ TGJDVQW-CXYIC64-PGX5A2S-EVXU2NS-FQQ43YP-PQT6D52-NBJ5FDW-FGJGSTT Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-chldicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. DLCWUVP-2JDG2RV-E5JX323-JVS22YN-LK7CLUE-JSDBFXI-BCC4YOK-SSCADGZ RYFXYWF-UDPKLYW-2GUDTPN-P5UXNYI-E6GOZQG-U3GHNPF-3ERNJCJ-S7VDRQZ TGJDVQW-CXYIC64-PGX5A2S-EVXU2NS-FQQ45LP-TJT6D52-NBJ5FDW-FGJWGIC Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

gejzibk.exegejzibk.exe

pid process

836 gejzibk.exe
1412 gejzibk.exe

pid	process
836	gejzibk.exe
1412	gejzibk.exe

Loads dropped DLL 4 IoCs

Processes:

6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exegejzibk.exe

pid	process
856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
836	gejzibk.exe
836	gejzibk.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-chldicl.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exegejzibk.exe

description	pid	process	target process
PID 856 set thread context of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 836 set thread context of 1412	836	gejzibk.exe	gejzibk.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-chldicl.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-chldicl.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1284 vssadmin.exe

pid	process
1284	vssadmin.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061006200650065003700340034002d0031006100380032002d0031003100650064002d0038003200390030002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exegejzibk.exe

pid	process
948	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe
1412	gejzibk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gejzibk.exe

description pid process

Token: SeDebugPrivilege 1412 gejzibk.exe
Token: SeDebugPrivilege 1412 gejzibk.exe

description	pid	process
Token: SeDebugPrivilege	1412	gejzibk.exe
Token: SeDebugPrivilege	1412	gejzibk.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exetaskeng.exegejzibk.exegejzibk.exesvchost.exe

description	pid	process	target process
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 856 wrote to memory of 948	856	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe	6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
PID 2012 wrote to memory of 836	2012	taskeng.exe	gejzibk.exe
PID 2012 wrote to memory of 836	2012	taskeng.exe	gejzibk.exe
PID 2012 wrote to memory of 836	2012	taskeng.exe	gejzibk.exe
PID 2012 wrote to memory of 836	2012	taskeng.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 836 wrote to memory of 1412	836	gejzibk.exe	gejzibk.exe
PID 1412 wrote to memory of 596	1412	gejzibk.exe	svchost.exe
PID 596 wrote to memory of 1200	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 1200	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 1200	596	svchost.exe	DllHost.exe
PID 1412 wrote to memory of 1272	1412	gejzibk.exe	Explorer.EXE
PID 1412 wrote to memory of 1284	1412	gejzibk.exe	vssadmin.exe
PID 1412 wrote to memory of 1284	1412	gejzibk.exe	vssadmin.exe
PID 1412 wrote to memory of 1284	1412	gejzibk.exe	vssadmin.exe
PID 1412 wrote to memory of 1284	1412	gejzibk.exe	vssadmin.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
PID:1272

C:\Users\Admin\AppData\Local\Temp\6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
"C:\Users\Admin\AppData\Local\Temp\6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe
"C:\Users\Admin\AppData\Local\Temp\6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1200

C:\Windows\system32\taskeng.exe
taskeng.exe {0253D43F-DD72-4A06-8E53-75D8AB40143F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
"C:\Users\Admin\AppData\Local\Temp\gejzibk.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1284

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\qrsyusl
Filesize
654B

MD5
ee911c84264fe282c2dee758c2600f4b

SHA1
d135f26ef4ce2a04d8f3d697653c477b7acf9971

SHA256
f257eb8bd9a7623e5f4729b303fccd17cd172ee71bd08e9f28ce25b268fa4bfe

SHA512
bbee6e22023b2e4b19641cfbdaec320c358edce61eb3734fede8db70968eaabfee60d0576d8c7ef4787750fd86139e1bbb1a5b0ce497e21addc544cb2e886730

Download Submit
C:\ProgramData\Mozilla\qrsyusl
Filesize
654B

MD5
ee911c84264fe282c2dee758c2600f4b

SHA1
d135f26ef4ce2a04d8f3d697653c477b7acf9971

SHA256
f257eb8bd9a7623e5f4729b303fccd17cd172ee71bd08e9f28ce25b268fa4bfe

SHA512
bbee6e22023b2e4b19641cfbdaec320c358edce61eb3734fede8db70968eaabfee60d0576d8c7ef4787750fd86139e1bbb1a5b0ce497e21addc544cb2e886730

Download Submit
C:\ProgramData\Mozilla\qrsyusl
Filesize
654B

MD5
b7ebaa378995d78ed984e841f8245fc1

SHA1
bad40e1dfe6af25063c1646bc3035b42bc31027d

SHA256
cb91eb0515f25463fb94744dbca1db82edc307f5f13a3af7d6471f93414a0b1e

SHA512
79bfb2fcec9b4048dc325ed74634068ebc6fd2b219a6f9c1c9f1363e9f73c7e555e968b168657db45af801e051e02d324cdb5ca45bbada492f852513a8a4bd4b

Download Submit
C:\ProgramData\Mozilla\qrsyusl
Filesize
654B

MD5
8db68e8a0fd08deb64756c610b2dbb3d

SHA1
458835e1047c6771dd9b88b0e468fab6294adf57

SHA256
b462e3b38c0712c1112f1bc263f07d67d9c449531e05c6b66d8ad1a055438371

SHA512
a664f645d1a7e756a3cc4b5e3216c7b85cee166314fe714ed831a52176d87359966abf00d6097d43f87a948a8f3a38f9ebfad92fd732b8b97e252be268828fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jacob.DLL
Filesize
54KB

MD5
010db3b152d0ea1e58030cf24faa970a

SHA1
7846ef6f5bc59165a8422d5ebb6bd2c687a039ee

SHA256
dbd14b1045af098de2d861f487d534604afc06fcfbeed6c35ecef06b7ea2be0a

SHA512
6473234297caf5bd01a6e89e267631a10277042ab7808db414cf034b962501d85218cb07189f62bc33a2485d91b5649743ae4434af02c2d382e39defb6340270

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
743KB

MD5
69eb41d973e7c96fe47c381320dfd140

SHA1
e45c2f5e2f74c35beb1a019b708573155f5a17a1

SHA256
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495

SHA512
5b4a8bf698640d7a25b9b6bdf1b9d73e9c99593c307c2f416b07bc1e9ea70091327cd6afcd5f5717a7f0160c1a46832d79ff4b1e4d1a45113f3f6d986fa88b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
743KB

MD5
69eb41d973e7c96fe47c381320dfd140

SHA1
e45c2f5e2f74c35beb1a019b708573155f5a17a1

SHA256
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495

SHA512
5b4a8bf698640d7a25b9b6bdf1b9d73e9c99593c307c2f416b07bc1e9ea70091327cd6afcd5f5717a7f0160c1a46832d79ff4b1e4d1a45113f3f6d986fa88b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
743KB

MD5
69eb41d973e7c96fe47c381320dfd140

SHA1
e45c2f5e2f74c35beb1a019b708573155f5a17a1

SHA256
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495

SHA512
5b4a8bf698640d7a25b9b6bdf1b9d73e9c99593c307c2f416b07bc1e9ea70091327cd6afcd5f5717a7f0160c1a46832d79ff4b1e4d1a45113f3f6d986fa88b52

Download Submit
\Users\Admin\AppData\Local\Temp\Jacob.dll
Filesize
54KB

MD5
010db3b152d0ea1e58030cf24faa970a

SHA1
7846ef6f5bc59165a8422d5ebb6bd2c687a039ee

SHA256
dbd14b1045af098de2d861f487d534604afc06fcfbeed6c35ecef06b7ea2be0a

SHA512
6473234297caf5bd01a6e89e267631a10277042ab7808db414cf034b962501d85218cb07189f62bc33a2485d91b5649743ae4434af02c2d382e39defb6340270

Download Submit
\Users\Admin\AppData\Local\Temp\Jacob.dll
Filesize
54KB

MD5
010db3b152d0ea1e58030cf24faa970a

SHA1
7846ef6f5bc59165a8422d5ebb6bd2c687a039ee

SHA256
dbd14b1045af098de2d861f487d534604afc06fcfbeed6c35ecef06b7ea2be0a

SHA512
6473234297caf5bd01a6e89e267631a10277042ab7808db414cf034b962501d85218cb07189f62bc33a2485d91b5649743ae4434af02c2d382e39defb6340270

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF930.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Windows\Temp\nsoA9AA.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
memory/596-84-0x0000000000110000-0x0000000000187000-memory.dmp

Filesize
476KB

Download
memory/596-90-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download
memory/596-86-0x0000000000110000-0x0000000000187000-memory.dmp

Filesize
476KB

Download
memory/836-68-0x0000000000000000-mapping.dmp

Download
memory/856-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/948-58-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/948-61-0x0000000000401FA3-mapping.dmp

Download
memory/948-60-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/948-66-0x00000000008C0000-0x0000000000B0B000-memory.dmp

Filesize
2.3MB

Download
memory/948-63-0x00000000006A0000-0x00000000008BA000-memory.dmp

Filesize
2.1MB

Download
memory/948-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/948-65-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/1200-89-0x0000000000000000-mapping.dmp

Download
memory/1284-96-0x0000000000000000-mapping.dmp

Download
memory/1412-83-0x0000000000740000-0x000000000098B000-memory.dmp

Filesize
2.3MB

Download
memory/1412-78-0x0000000000401FA3-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads