Analysis
-
max time kernel
154s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
13-10-2022 15:10
General
-
Target
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
-
Size
815KB
-
MD5
678d3c068832953f7adc0abdc538e320
-
SHA1
f3283eada70ba0362e9617706272f83f0524b7a1
-
SHA256
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
-
SHA512
9658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
SSDEEP
12288:XGKVawDC8239wUoGtTvtcAEvNThLDlB1l4TcPPN9vegW37blQ06QOtG6aZQx:2KV6tt/Xa3hhLz1l4TK27rblQHQOt7x
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-bgefhdd.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe"C:\Users\Admin\AppData\Local\Temp\75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {04FA8D7F-2642-463E-905D-A34925692CC1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exeC:\Users\Admin\AppData\Local\Temp\hlahqcg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
-
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe"C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD57e40f407a295b6c6882eba9625ac1aad
SHA1c2d3588fee39f524d57fab31d48b585cc4f6db68
SHA256cb9dd01a0f665c76f3fb0fd8a528076fff33b225feefee1cb60e5cae98eddc83
SHA512235751218b3b11aa45e7cbf822c63a0ed157d7f723a7cebbeb18ef79a514ac9bcddbdc9de5238ce36681fff64f075c57e110dad776501967010f4b412af897ee
-
Filesize
654B
MD57e40f407a295b6c6882eba9625ac1aad
SHA1c2d3588fee39f524d57fab31d48b585cc4f6db68
SHA256cb9dd01a0f665c76f3fb0fd8a528076fff33b225feefee1cb60e5cae98eddc83
SHA512235751218b3b11aa45e7cbf822c63a0ed157d7f723a7cebbeb18ef79a514ac9bcddbdc9de5238ce36681fff64f075c57e110dad776501967010f4b412af897ee
-
Filesize
654B
MD56cefa17faccd9b5cf562ba2fd2a2b305
SHA135f53e863c975929c0fccae79771e03e62058b23
SHA256bd891f5541b937502a8bafa94dba03740c37490aba8697bc34c431bec2f32d00
SHA512fcfc2638bbaa431787e671aa7052745bd09f6f3066bcbe66a519e1513dc757a95cdba847a63383fb8c1e32ebf18554aad7e8a4325e8804e659929f8b37095df3
-
Filesize
654B
MD56cefa17faccd9b5cf562ba2fd2a2b305
SHA135f53e863c975929c0fccae79771e03e62058b23
SHA256bd891f5541b937502a8bafa94dba03740c37490aba8697bc34c431bec2f32d00
SHA512fcfc2638bbaa431787e671aa7052745bd09f6f3066bcbe66a519e1513dc757a95cdba847a63383fb8c1e32ebf18554aad7e8a4325e8804e659929f8b37095df3
-
Filesize
815KB
MD5678d3c068832953f7adc0abdc538e320
SHA1f3283eada70ba0362e9617706272f83f0524b7a1
SHA25675b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA5129658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
Filesize
815KB
MD5678d3c068832953f7adc0abdc538e320
SHA1f3283eada70ba0362e9617706272f83f0524b7a1
SHA25675b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA5129658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
Filesize
815KB
MD5678d3c068832953f7adc0abdc538e320
SHA1f3283eada70ba0362e9617706272f83f0524b7a1
SHA25675b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA5129658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
8KB
-
Filesize
2.3MB
-
Filesize
1.2MB
-
Filesize
2.3MB
-
Filesize
2.1MB
-
Filesize
8KB
-
Filesize
2.3MB