Analysis
-
max time kernel
154s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 15:10
Static task
static1
Behavioral task
behavioral1
Sample
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
Resource
win10v2004-20220812-en
General
-
Target
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
-
Size
815KB
-
MD5
678d3c068832953f7adc0abdc538e320
-
SHA1
f3283eada70ba0362e9617706272f83f0524b7a1
-
SHA256
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
-
SHA512
9658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
SSDEEP
12288:XGKVawDC8239wUoGtTvtcAEvNThLDlB1l4TcPPN9vegW37blQ06QOtG6aZQx:2KV6tt/Xa3hhLz1l4TK27rblQHQOt7x
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-bgefhdd.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
hlahqcg.exehlahqcg.exepid process 1112 hlahqcg.exe 1604 hlahqcg.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MergeReset.CRW.bgefhdd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CopyCheckpoint.RAW.bgefhdd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DenyAssert.CRW.bgefhdd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExpandImport.CRW.bgefhdd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hlahqcg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation hlahqcg.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-bgefhdd.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.bmp svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1608 vssadmin.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00380030003300310061006600650034002d0031006100380032002d0031003100650064002d0061003000380066002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exehlahqcg.exepid process 1388 75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe 1112 hlahqcg.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
hlahqcg.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1112 hlahqcg.exe Token: SeDebugPrivilege 1112 hlahqcg.exe Token: SeShutdownPrivilege 1396 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
hlahqcg.exepid process 1604 hlahqcg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
hlahqcg.exepid process 1604 hlahqcg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hlahqcg.exepid process 1604 hlahqcg.exe 1604 hlahqcg.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
taskeng.exehlahqcg.exesvchost.exedescription pid process target process PID 1324 wrote to memory of 1112 1324 taskeng.exe hlahqcg.exe PID 1324 wrote to memory of 1112 1324 taskeng.exe hlahqcg.exe PID 1324 wrote to memory of 1112 1324 taskeng.exe hlahqcg.exe PID 1324 wrote to memory of 1112 1324 taskeng.exe hlahqcg.exe PID 1112 wrote to memory of 596 1112 hlahqcg.exe svchost.exe PID 596 wrote to memory of 580 596 svchost.exe DllHost.exe PID 596 wrote to memory of 580 596 svchost.exe DllHost.exe PID 596 wrote to memory of 580 596 svchost.exe DllHost.exe PID 1112 wrote to memory of 1396 1112 hlahqcg.exe Explorer.EXE PID 1112 wrote to memory of 1608 1112 hlahqcg.exe vssadmin.exe PID 1112 wrote to memory of 1608 1112 hlahqcg.exe vssadmin.exe PID 1112 wrote to memory of 1608 1112 hlahqcg.exe vssadmin.exe PID 1112 wrote to memory of 1608 1112 hlahqcg.exe vssadmin.exe PID 1112 wrote to memory of 1604 1112 hlahqcg.exe hlahqcg.exe PID 1112 wrote to memory of 1604 1112 hlahqcg.exe hlahqcg.exe PID 1112 wrote to memory of 1604 1112 hlahqcg.exe hlahqcg.exe PID 1112 wrote to memory of 1604 1112 hlahqcg.exe hlahqcg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe"C:\Users\Admin\AppData\Local\Temp\75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {04FA8D7F-2642-463E-905D-A34925692CC1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exeC:\Users\Admin\AppData\Local\Temp\hlahqcg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe"C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\epmlysmFilesize
654B
MD57e40f407a295b6c6882eba9625ac1aad
SHA1c2d3588fee39f524d57fab31d48b585cc4f6db68
SHA256cb9dd01a0f665c76f3fb0fd8a528076fff33b225feefee1cb60e5cae98eddc83
SHA512235751218b3b11aa45e7cbf822c63a0ed157d7f723a7cebbeb18ef79a514ac9bcddbdc9de5238ce36681fff64f075c57e110dad776501967010f4b412af897ee
-
C:\ProgramData\Package Cache\epmlysmFilesize
654B
MD57e40f407a295b6c6882eba9625ac1aad
SHA1c2d3588fee39f524d57fab31d48b585cc4f6db68
SHA256cb9dd01a0f665c76f3fb0fd8a528076fff33b225feefee1cb60e5cae98eddc83
SHA512235751218b3b11aa45e7cbf822c63a0ed157d7f723a7cebbeb18ef79a514ac9bcddbdc9de5238ce36681fff64f075c57e110dad776501967010f4b412af897ee
-
C:\ProgramData\Package Cache\epmlysmFilesize
654B
MD56cefa17faccd9b5cf562ba2fd2a2b305
SHA135f53e863c975929c0fccae79771e03e62058b23
SHA256bd891f5541b937502a8bafa94dba03740c37490aba8697bc34c431bec2f32d00
SHA512fcfc2638bbaa431787e671aa7052745bd09f6f3066bcbe66a519e1513dc757a95cdba847a63383fb8c1e32ebf18554aad7e8a4325e8804e659929f8b37095df3
-
C:\ProgramData\Package Cache\epmlysmFilesize
654B
MD56cefa17faccd9b5cf562ba2fd2a2b305
SHA135f53e863c975929c0fccae79771e03e62058b23
SHA256bd891f5541b937502a8bafa94dba03740c37490aba8697bc34c431bec2f32d00
SHA512fcfc2638bbaa431787e671aa7052745bd09f6f3066bcbe66a519e1513dc757a95cdba847a63383fb8c1e32ebf18554aad7e8a4325e8804e659929f8b37095df3
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exeFilesize
815KB
MD5678d3c068832953f7adc0abdc538e320
SHA1f3283eada70ba0362e9617706272f83f0524b7a1
SHA25675b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA5129658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exeFilesize
815KB
MD5678d3c068832953f7adc0abdc538e320
SHA1f3283eada70ba0362e9617706272f83f0524b7a1
SHA25675b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA5129658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exeFilesize
815KB
MD5678d3c068832953f7adc0abdc538e320
SHA1f3283eada70ba0362e9617706272f83f0524b7a1
SHA25675b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA5129658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
memory/580-69-0x0000000000000000-mapping.dmp
-
memory/596-66-0x0000000000120000-0x0000000000197000-memory.dmpFilesize
476KB
-
memory/596-64-0x0000000000120000-0x0000000000197000-memory.dmpFilesize
476KB
-
memory/596-70-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/1112-63-0x0000000001020000-0x000000000126B000-memory.dmpFilesize
2.3MB
-
memory/1112-59-0x0000000000000000-mapping.dmp
-
memory/1388-57-0x0000000000400000-0x0000000000532000-memory.dmpFilesize
1.2MB
-
memory/1388-56-0x0000000002450000-0x000000000269B000-memory.dmpFilesize
2.3MB
-
memory/1388-55-0x0000000002230000-0x000000000244A000-memory.dmpFilesize
2.1MB
-
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1604-77-0x0000000000000000-mapping.dmp
-
memory/1604-81-0x0000000002470000-0x00000000026BB000-memory.dmpFilesize
2.3MB
-
memory/1608-76-0x0000000000000000-mapping.dmp