Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
29-10-2022 15:55
General
-
Target
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
-
Size
772KB
-
MD5
95f60b5b36d63307d83e3f3de9675a1d
-
SHA1
da733991d9618b3a3bb5cc503ba0e860f1e8ea29
-
SHA256
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
-
SHA512
de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
SSDEEP
12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-iulhzxi.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-iulhzxi.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe"C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exeC:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {0CCD9567-6469-45F8-9FE2-4FF8E3C0E452} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD5d604850b0c211b77456f9f2c6f5e9676
SHA16773715283688ddf6b5db3a9c94dfc0e58bf6daa
SHA256c9ea5c3d36864de9c858b9fd5fa833dcc904dec67be2adc3f90ffabe591a4ba5
SHA5129a4ae8c3c9fdc02b9b093cc809b99d027eb9c09f991a4aa666939f4fa8800d21d4745ce826215771828747c8051424738f74eae402f5df2a8e8f24010cc6466a
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD5d604850b0c211b77456f9f2c6f5e9676
SHA16773715283688ddf6b5db3a9c94dfc0e58bf6daa
SHA256c9ea5c3d36864de9c858b9fd5fa833dcc904dec67be2adc3f90ffabe591a4ba5
SHA5129a4ae8c3c9fdc02b9b093cc809b99d027eb9c09f991a4aa666939f4fa8800d21d4745ce826215771828747c8051424738f74eae402f5df2a8e8f24010cc6466a
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD500adb3e2d9317ad2589dcdfe8c23a22b
SHA1ac70dbf0dd39d8e50e37fa7c93ad18f2a8eed49b
SHA256100669ab3b5989c67644409945cbc053537d561d8c91e273c9203fb394d98fb6
SHA5122f4edef0dc7c968f79fd8a05d5ea21aa90efd084c9550fcfca549f8f0d6ae8927c0136ea2f35227337eac3c2eb570b3bf059f3522047a338ea0bd1082804f6dd
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD500adb3e2d9317ad2589dcdfe8c23a22b
SHA1ac70dbf0dd39d8e50e37fa7c93ad18f2a8eed49b
SHA256100669ab3b5989c67644409945cbc053537d561d8c91e273c9203fb394d98fb6
SHA5122f4edef0dc7c968f79fd8a05d5ea21aa90efd084c9550fcfca549f8f0d6ae8927c0136ea2f35227337eac3c2eb570b3bf059f3522047a338ea0bd1082804f6dd
-
C:\ProgramData\zlwdkgg.htmlFilesize
63KB
MD50b941d485f8f7d5eba5ebd7c39790a40
SHA1312a29ddc2f74115402e5dd63311ba0b02104788
SHA25605cac189bf20125a30c0b07e9b47eb25cdfcc5977c49019d71d91e1a360ab366
SHA512ab535c12b64fd59560cd54477542de434572176f62bac80505e903ba315ed002c6d513a3c9d17d1b2d0722a6c8b3a2d216c214beac6d0ebeb5359d67d0f6a0fb
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
memory/276-106-0x0000000000401FA3-mapping.dmp
-
memory/276-111-0x0000000028A00000-0x0000000028C4B000-memory.dmpFilesize
2.3MB
-
memory/472-78-0x0000000000401FA3-mapping.dmp
-
memory/472-83-0x00000000289F0000-0x0000000028C3B000-memory.dmpFilesize
2.3MB
-
memory/596-90-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmpFilesize
8KB
-
memory/596-84-0x0000000000670000-0x00000000006E7000-memory.dmpFilesize
476KB
-
memory/596-86-0x0000000000670000-0x00000000006E7000-memory.dmpFilesize
476KB
-
memory/804-89-0x0000000000000000-mapping.dmp
-
memory/1000-97-0x0000000000000000-mapping.dmp
-
memory/1280-96-0x0000000000000000-mapping.dmp
-
memory/1376-69-0x0000000000000000-mapping.dmp
-
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1456-60-0x0000000000360000-0x0000000000364000-memory.dmpFilesize
16KB
-
memory/1516-67-0x0000000028990000-0x0000000028BDB000-memory.dmpFilesize
2.3MB
-
memory/1516-66-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/1516-64-0x0000000028770000-0x000000002898A000-memory.dmpFilesize
2.1MB
-
memory/1516-62-0x0000000000401FA3-mapping.dmp
-
memory/1516-61-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1516-58-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1516-57-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1516-55-0x00000000001B0000-0x00000000002AA000-memory.dmpFilesize
1000KB
-
memory/1988-113-0x0000000000000000-mapping.dmp