Analysis

  • max time kernel
    206s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 23:06

General

  • Target

    feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe

  • Size

    742KB

  • MD5

    8002e12ee374b2cb136757a46116244b

  • SHA1

    08afb20b09ebbeb30939389edc7e53b6f4c1fc57

  • SHA256

    feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

  • SHA512

    0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

  • SSDEEP

    12288:494e4oMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:hes126wFn8KL8tz4MZHVLJtimSimHROY

Score
10/10

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-rtmtmsb.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. MOKANJK-65YHOVV-CLO7DHB-CPAF27S-GWNFZTN-2NYWTWB-ZULISU7-3VCTQXL OGNWZQR-MOFMICC-AB73SSD-JLCY47C-XQLJUD6-IJ5PZBT-4XPMRZL-NVRAZPQ QGE66ZQ-BJNG56G-CEGC2RG-LJMHTFD-FYGELRZ-FVXWHMV-TJOA2X6-LUKNU6O Follow the instructions on the server.
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe
    "C:\Users\Admin\AppData\Local\Temp\feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1248
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops file in Program Files directory
    PID:604
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {347E04A2-6493-4F60-BB53-BCAF21327735} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
      C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\lvixnfh

    Filesize

    654B

    MD5

    77d533a03084c4392f0c8b4354042882

    SHA1

    eda5875be6d0acf70eb734b7ded583caa5ddd269

    SHA256

    32695ee52866c0a3a2c4b8fa612ea45e069efe3147b6d50bfa4ab72b7dbc9511

    SHA512

    86d34156799857172ac9b5fd8730901840cea5d29b92f80f2265fc0475f3cd150f1e433c23bf86c4904f6a79144ef4006c0715e12752a29bae83497ea995fbe0

  • C:\ProgramData\Adobe\lvixnfh

    Filesize

    654B

    MD5

    77d533a03084c4392f0c8b4354042882

    SHA1

    eda5875be6d0acf70eb734b7ded583caa5ddd269

    SHA256

    32695ee52866c0a3a2c4b8fa612ea45e069efe3147b6d50bfa4ab72b7dbc9511

    SHA512

    86d34156799857172ac9b5fd8730901840cea5d29b92f80f2265fc0475f3cd150f1e433c23bf86c4904f6a79144ef4006c0715e12752a29bae83497ea995fbe0

  • C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

    Filesize

    742KB

    MD5

    8002e12ee374b2cb136757a46116244b

    SHA1

    08afb20b09ebbeb30939389edc7e53b6f4c1fc57

    SHA256

    feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

    SHA512

    0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

  • C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

    Filesize

    742KB

    MD5

    8002e12ee374b2cb136757a46116244b

    SHA1

    08afb20b09ebbeb30939389edc7e53b6f4c1fc57

    SHA256

    feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

    SHA512

    0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

  • memory/588-66-0x0000000001010000-0x000000000125B000-memory.dmp

    Filesize

    2.3MB

  • memory/604-67-0x00000000000E0000-0x0000000000157000-memory.dmp

    Filesize

    476KB

  • memory/604-69-0x00000000000E0000-0x0000000000157000-memory.dmp

    Filesize

    476KB

  • memory/1248-58-0x0000000002410000-0x000000000265B000-memory.dmp

    Filesize

    2.3MB

  • memory/1248-57-0x00000000021F0000-0x000000000240A000-memory.dmp

    Filesize

    2.1MB

  • memory/1248-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

    Filesize

    8KB

  • memory/1248-55-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

  • memory/1248-56-0x0000000000401000-0x00000000004A5000-memory.dmp

    Filesize

    656KB