Analysis
-
max time kernel
206s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:06
Static task
static1
Behavioral task
behavioral1
Sample
feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe
Resource
win10v2004-20221111-en
General
-
Target
feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe
-
Size
742KB
-
MD5
8002e12ee374b2cb136757a46116244b
-
SHA1
08afb20b09ebbeb30939389edc7e53b6f4c1fc57
-
SHA256
feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f
-
SHA512
0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1
-
SSDEEP
12288:494e4oMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:hes126wFn8KL8tz4MZHVLJtimSimHROY
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-rtmtmsb.txt
http://fizxfsi3cad3kn7v.onion.cab
http://fizxfsi3cad3kn7v.tor2web.org
http://fizxfsi3cad3kn7v.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 1 IoCs
pid Process 588 obvnomb.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-rtmtmsb.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-rtmtmsb.bmp svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1248 feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe 588 obvnomb.exe 588 obvnomb.exe 588 obvnomb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 588 obvnomb.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1636 wrote to memory of 588 1636 taskeng.exe 29 PID 1636 wrote to memory of 588 1636 taskeng.exe 29 PID 1636 wrote to memory of 588 1636 taskeng.exe 29 PID 1636 wrote to memory of 588 1636 taskeng.exe 29 PID 588 wrote to memory of 604 588 obvnomb.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe"C:\Users\Admin\AppData\Local\Temp\feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Drops file in Program Files directory
PID:604
-
C:\Windows\system32\taskeng.exetaskeng.exe {347E04A2-6493-4F60-BB53-BCAF21327735} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\obvnomb.exeC:\Users\Admin\AppData\Local\Temp\obvnomb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD577d533a03084c4392f0c8b4354042882
SHA1eda5875be6d0acf70eb734b7ded583caa5ddd269
SHA25632695ee52866c0a3a2c4b8fa612ea45e069efe3147b6d50bfa4ab72b7dbc9511
SHA51286d34156799857172ac9b5fd8730901840cea5d29b92f80f2265fc0475f3cd150f1e433c23bf86c4904f6a79144ef4006c0715e12752a29bae83497ea995fbe0
-
Filesize
654B
MD577d533a03084c4392f0c8b4354042882
SHA1eda5875be6d0acf70eb734b7ded583caa5ddd269
SHA25632695ee52866c0a3a2c4b8fa612ea45e069efe3147b6d50bfa4ab72b7dbc9511
SHA51286d34156799857172ac9b5fd8730901840cea5d29b92f80f2265fc0475f3cd150f1e433c23bf86c4904f6a79144ef4006c0715e12752a29bae83497ea995fbe0
-
Filesize
742KB
MD58002e12ee374b2cb136757a46116244b
SHA108afb20b09ebbeb30939389edc7e53b6f4c1fc57
SHA256feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f
SHA5120a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1
-
Filesize
742KB
MD58002e12ee374b2cb136757a46116244b
SHA108afb20b09ebbeb30939389edc7e53b6f4c1fc57
SHA256feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f
SHA5120a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1