Overview

overview

10

Static

static

21a1575646...cd.exe

windows7-x64

10

21a1575646...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe

  • Size

    1019KB

  • MD5

    1ea130f39d90ae08b289a13406410ec3

  • SHA1

    f87fcf3b7becd3ada883a42f79e05943abb21c09

  • SHA256

    21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

  • SHA512

    3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

  • SSDEEP

    24576:fslszepLtFECEBMM4Zf40Pzm+XRtdaBVQIOaZf8P2r:fFepRFEXu4Gyc+J8P2r

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-vmuizxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. DPSWFLH-RIPMF3C-JBUSVVR-QL7IKNG-KNCRLAT-HDZYSGM-FFFPRL4-LW6WN22 4HMTI3B-XLLKW6C-PW3ZDZX-Y5G6ZQ2-SA6C3JB-FRZQTGH-VLKQ4JS-F3C4QCB BF3MZNE-4YOJ2V5-AXZYHPJ-VSUS7ML-3QYNM4B-RQHXTVM-YNZ6TFD-EJ7LCG4 Follow the instructions on the server.
URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-vmuizxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. DPSWFLH-RIPMF3C-JBUSVVR-QL7IKNG-KNCRLAT-HDZYSGM-FFFPRL4-LW6WN22 4HMTI3B-XLLKW6C-PW3ZDZX-Y5G6ZQ2-SA6C3JB-FRZQTGH-VLKQ4JS-F3C4QCB BF3MZNE-4YOJ2V5-AXZYHPJ-VSUS7ML-3QYNOPB-TJHXTVM-YNZ6TFD-EJ73J57 Follow the instructions on the server.
URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe
      "C:\Users\Admin\AppData\Local\Temp\21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1376
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:832
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        2⤵
          PID:396
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {D10B0B53-EB33-4DC7-96D0-F8D7E4BA9C21} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
          C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows all
            3⤵
            • Interacts with shadow copies
            PID:1900
          • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
            "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Drops file in System32 directory
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2024

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File Deletion

      2
      T1107

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Adobe\xptppml
        Filesize

        654B

        MD5

        5b81d8391c76dcb0039318a1d6962589

        SHA1

        45fdc8b4ce3f1f6fe5a81a3edd90eea901837af5

        SHA256

        8778f68d5e684bf81772952ddb8be1af3b4439524deecfd29a3b2b7f326f972a

        SHA512

        2c82559615bdc92e7de8485fedd4892f97aed49939f689839e6be77a87d7b346a8f0eb71e9f7aa7e5b629b6efd7822b17d87aea73065b4b8b5500758f75b96a3

        Download Submit
      • C:\ProgramData\Adobe\xptppml
        Filesize

        654B

        MD5

        5b81d8391c76dcb0039318a1d6962589

        SHA1

        45fdc8b4ce3f1f6fe5a81a3edd90eea901837af5

        SHA256

        8778f68d5e684bf81772952ddb8be1af3b4439524deecfd29a3b2b7f326f972a

        SHA512

        2c82559615bdc92e7de8485fedd4892f97aed49939f689839e6be77a87d7b346a8f0eb71e9f7aa7e5b629b6efd7822b17d87aea73065b4b8b5500758f75b96a3

        Download Submit
      • C:\ProgramData\Adobe\xptppml
        Filesize

        654B

        MD5

        add42dde22cf24594624dfd4cf099469

        SHA1

        028c77d83224735dd5e431f303ac7a422bc943bf

        SHA256

        e230c0d69753cfa4bc3bc8b4f9b65f21a43076898c9fc951a6ccd8a03465b252

        SHA512

        029c9c35aaf16e97116fe32ff663b79a91122ebf03bc3e66ef21bdd097cb7744f5645d46f887cbbce4c663dd6bff83a2a19a428a89d173f68641d046497311f7

        Download Submit
      • C:\ProgramData\Adobe\xptppml
        Filesize

        654B

        MD5

        add42dde22cf24594624dfd4cf099469

        SHA1

        028c77d83224735dd5e431f303ac7a422bc943bf

        SHA256

        e230c0d69753cfa4bc3bc8b4f9b65f21a43076898c9fc951a6ccd8a03465b252

        SHA512

        029c9c35aaf16e97116fe32ff663b79a91122ebf03bc3e66ef21bdd097cb7744f5645d46f887cbbce4c663dd6bff83a2a19a428a89d173f68641d046497311f7

        Download Submit
      • C:\ProgramData\zlwdkgg.html
        Filesize

        64KB

        MD5

        bc9561f255b0b9d6d5310c0b5ed11d56

        SHA1

        738a13448eaa70d9630a443fd0aa4b5037010c10

        SHA256

        dcdb47426cdda560672929b1723544b1a80ac8055cd4283651b01f74732f6b7b

        SHA512

        72315ab9eabb8fa15795def4fd82e60acff49c400fc60c02568a000d43dfc2275caa3bb08895b440eeb468ffecdaadc063acd92fc511e160e5b32c364647822b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1019KB

        MD5

        1ea130f39d90ae08b289a13406410ec3

        SHA1

        f87fcf3b7becd3ada883a42f79e05943abb21c09

        SHA256

        21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

        SHA512

        3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1019KB

        MD5

        1ea130f39d90ae08b289a13406410ec3

        SHA1

        f87fcf3b7becd3ada883a42f79e05943abb21c09

        SHA256

        21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

        SHA512

        3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1019KB

        MD5

        1ea130f39d90ae08b289a13406410ec3

        SHA1

        f87fcf3b7becd3ada883a42f79e05943abb21c09

        SHA256

        21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

        SHA512

        3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

        Download Submit
      • memory/396-91-0x0000000000000000-mapping.dmp
        Download
      • memory/588-75-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp
        Filesize

        8KB

        Download
      • memory/588-71-0x0000000000D50000-0x0000000000DC7000-memory.dmp
        Filesize

        476KB

        Download
      • memory/588-69-0x0000000000D50000-0x0000000000DC7000-memory.dmp
        Filesize

        476KB

        Download
      • memory/832-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1248-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1248-66-0x0000000001BC0000-0x0000000001E0B000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/1248-63-0x0000000000400000-0x0000000000505000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1248-62-0x0000000001740000-0x0000000001765000-memory.dmp
        Filesize

        148KB

        Download
      • memory/1248-68-0x0000000001740000-0x0000000001765000-memory.dmp
        Filesize

        148KB

        Download
      • memory/1376-56-0x0000000002D80000-0x0000000002F9A000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/1376-67-0x0000000002A20000-0x0000000002A45000-memory.dmp
        Filesize

        148KB

        Download
      • memory/1376-54-0x0000000002A20000-0x0000000002A45000-memory.dmp
        Filesize

        148KB

        Download
      • memory/1376-58-0x0000000002FA0000-0x00000000031EB000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/1376-57-0x0000000075091000-0x0000000075093000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1376-55-0x0000000000400000-0x0000000000505000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1900-81-0x0000000000000000-mapping.dmp
        Download
      • memory/2024-82-0x0000000000000000-mapping.dmp
        Download
      • memory/2024-88-0x00000000030A0000-0x00000000032EB000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2024-85-0x0000000000400000-0x0000000000505000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2024-90-0x0000000002B20000-0x0000000002B45000-memory.dmp
        Filesize

        148KB

        Download
      • memory/2024-84-0x0000000002B20000-0x0000000002B45000-memory.dmp
        Filesize

        148KB

        Download