Overview

overview

10

Static

static

39202dbfb2...40.exe

windows7-x64

10

39202dbfb2...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe

  • Size

    248KB

  • MD5

    d8704f06cb0813c2cbb543b95fda51ce

  • SHA1

    987886e485ecf443002159065411e42cb0dfc264

  • SHA256

    39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

  • SHA512

    473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

  • SSDEEP

    3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-zgjqcsi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. PN2BW33-UU65I7G-NRJLGDN-U5OGLRF-Q3KPRM4-FV5KUWN-XSZYFQM-NO4VGVG V3UT76C-ESX3DQE-QDLE3EZ-L5GPD4V-7AQOLQN-5J6464J-YSYGTZD-C3RRJ7D RHZ7WYI-OYBD23J-CM6S6H5-LOBCGRP-Z7EHPZM-JLKSNCR-I22SDY6-MYDQU4Z Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Executes dropped EXE 4 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\System32\mousocoreworker.exe
      C:\Windows\System32\mousocoreworker.exe -Embedding
      2⤵
        PID:3132
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:428
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Sets desktop wallpaper using registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
        • C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
          "C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
            "C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3804
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
          "C:\Users\Admin\AppData\Local\Temp\dajjvan.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
            "C:\Users\Admin\AppData\Local\Temp\dajjvan.exe" -u
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1316
            • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
              "C:\Users\Admin\AppData\Local\Temp\dajjvan.exe"
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Drops file in System32 directory
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:4744

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\akatxdg
        Filesize

        654B

        MD5

        ad91f2ab5d04cf451daa1fe2621d6bc1

        SHA1

        132a2b790d6a24eb9bcd0ad1580eda70a956208e

        SHA256

        7185349fab9d38aad9f308f38765dd2e20623305cd27db5aaaceb9512caf4aa8

        SHA512

        e05927204874c7b94079b7d6174169f5755fb145159d01fc12c53f8d42d9d9c5c196ac17b9b24fe2faa3953678e93eb59acd7cdd36a891646195c6b2f179deef

        Download Submit

      • C:\ProgramData\Microsoft\akatxdg
        Filesize

        654B

        MD5

        ad91f2ab5d04cf451daa1fe2621d6bc1

        SHA1

        132a2b790d6a24eb9bcd0ad1580eda70a956208e

        SHA256

        7185349fab9d38aad9f308f38765dd2e20623305cd27db5aaaceb9512caf4aa8

        SHA512

        e05927204874c7b94079b7d6174169f5755fb145159d01fc12c53f8d42d9d9c5c196ac17b9b24fe2faa3953678e93eb59acd7cdd36a891646195c6b2f179deef

        Download Submit

      • C:\ProgramData\Microsoft\akatxdg
        Filesize

        654B

        MD5

        efd32f70f77ae3ac346ed118352176dc

        SHA1

        d0f38899685e6140b947537cb266606f9509303f

        SHA256

        110c131233c4b271433fab7d88e93848a7a10215876eab36a16cee4aaae0ee78

        SHA512

        a811b878738b266c1af33bdf930de9022e18078166d757c4d0b2e09290ee34d8325e4315b15a174fa57bf9d14256d9ee2acbc28c5a3460ea380853958583046f

        Download Submit

      • C:\ProgramData\Microsoft\akatxdg
        Filesize

        654B

        MD5

        3defcb7eece0436dad51d8219e88e7ea

        SHA1

        e98e49e1676118821884cca2d86909aba051b419

        SHA256

        f6ed6f4ca7e5cd9c89c186501ff80b42f64a1cf68d83511e4f94335e3e888c2f

        SHA512

        d66dbda69e2f130e4f6c506817009d50f791e0174460b79fd8b3956454f156f8953cae6f66e4046b1bf1ad7dbe8dd154adfe1561337b89719c6c90525b944d18

        Download Submit

      • C:\ProgramData\Microsoft\akatxdg
        Filesize

        654B

        MD5

        71636340f9bc536df4ad2c9fc0039500

        SHA1

        483857e9065d8dfdb4264f2dabcd489a52ebafdd

        SHA256

        28236d743e522a3371fcd5fa50da1d939463589dfbb46b1f4caf8f1c86d365c5

        SHA512

        ae57216f5f624883bd9a72fd5552ba5ea08beb98b7e29290bd819cf7d8e751f97e4ea1577583dc714da5ab24a2f79fa18c39325479f626dfc9a6ea838aa9c376

        Download Submit

      • C:\ProgramData\yrnkowk.html
        Filesize

        226KB

        MD5

        79072d701f3b63f9a49079cefdd43000

        SHA1

        33a90382c4fc05d0f6e50dd4ae44a119962cc086

        SHA256

        fb8694bb75d094735ae67900e3eb7083e209a0c8e647a115e9a21e8c7b179e5c

        SHA512

        02af3b9d176b9ac28e3942a1ec97ce588c49fc4fa7eae4949b2804c9fd50b2a3c654ad4590d37e6215531b428367de0ebbb10dad29d11556765ce544aec13dcb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        248KB

        MD5

        d8704f06cb0813c2cbb543b95fda51ce

        SHA1

        987886e485ecf443002159065411e42cb0dfc264

        SHA256

        39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

        SHA512

        473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        248KB

        MD5

        d8704f06cb0813c2cbb543b95fda51ce

        SHA1

        987886e485ecf443002159065411e42cb0dfc264

        SHA256

        39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

        SHA512

        473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        248KB

        MD5

        d8704f06cb0813c2cbb543b95fda51ce

        SHA1

        987886e485ecf443002159065411e42cb0dfc264

        SHA256

        39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

        SHA512

        473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        248KB

        MD5

        d8704f06cb0813c2cbb543b95fda51ce

        SHA1

        987886e485ecf443002159065411e42cb0dfc264

        SHA256

        39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

        SHA512

        473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        248KB

        MD5

        d8704f06cb0813c2cbb543b95fda51ce

        SHA1

        987886e485ecf443002159065411e42cb0dfc264

        SHA256

        39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

        SHA512

        473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.zgjqcsi
        Filesize

        36KB

        MD5

        72329e50c1ecded3e2933aacd7fe0691

        SHA1

        b250ac91ee86e44771f12d1866e5e4c0d0d3c913

        SHA256

        9c397b9552c4f0ab3ab79c9bd2ce091e9b455816cf9f0a06096ca2d2ec8c6278

        SHA512

        363c1063b8299828eed68d385062087dd95e8c26e94d2d1f3ca23e4159513e68bfe8e942ed4cfaa383444a925ef06984a8cda1b3db54a25f3015a8bb6b372310

        Download Submit

      • memory/784-151-0x0000000021880000-0x00000000218F7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/3804-139-0x0000000000830000-0x0000000000963000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3804-138-0x0000000000720000-0x0000000000822000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3804-144-0x0000000000400000-0x0000000000426E00-memory.dmp

        Filesize

        155KB

        Download

      • memory/3804-136-0x0000000000400000-0x0000000000427000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4608-150-0x00000000007A0000-0x00000000008D3000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4744-170-0x0000000000860000-0x0000000000993000-memory.dmp

        Filesize

        1.2MB

        Download