Analysis
-
max time kernel
192s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
26-11-2022 09:00
General
-
Target
report-order-tracking-genereted-auto-gls.exe
-
Size
248KB
-
MD5
d8704f06cb0813c2cbb543b95fda51ce
-
SHA1
987886e485ecf443002159065411e42cb0dfc264
-
SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
-
SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
-
SSDEEP
3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-nntdmzk.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {FB342D3B-9111-4871-A031-3BB7A997FA59} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exeC:\Users\Admin\AppData\Local\Temp\vhbumzm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe"C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\jbnjrvgFilesize
654B
MD50a2ffd6076494686b93100a061ff8783
SHA1813c020e41027017e30871234d73ede354c3f54b
SHA256908617fb9cada02ecf62cdef4effc915e0de7848057cd27e781c2b0b45e394f9
SHA51210021095120889f6493bab41987646f8a783b56538f8b49f60f5456ae2df1038a50f488864266f7f0afb941fb3b65258c74179a1a9db7208c01955366c21f6ee
-
C:\ProgramData\Microsoft Help\jbnjrvgFilesize
654B
MD50a2ffd6076494686b93100a061ff8783
SHA1813c020e41027017e30871234d73ede354c3f54b
SHA256908617fb9cada02ecf62cdef4effc915e0de7848057cd27e781c2b0b45e394f9
SHA51210021095120889f6493bab41987646f8a783b56538f8b49f60f5456ae2df1038a50f488864266f7f0afb941fb3b65258c74179a1a9db7208c01955366c21f6ee
-
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exeFilesize
248KB
MD5d8704f06cb0813c2cbb543b95fda51ce
SHA1987886e485ecf443002159065411e42cb0dfc264
SHA25639202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
SHA512473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
-
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exeFilesize
248KB
MD5d8704f06cb0813c2cbb543b95fda51ce
SHA1987886e485ecf443002159065411e42cb0dfc264
SHA25639202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
SHA512473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
-
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exeFilesize
248KB
MD5d8704f06cb0813c2cbb543b95fda51ce
SHA1987886e485ecf443002159065411e42cb0dfc264
SHA25639202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
SHA512473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
-
memory/580-83-0x00000000004C0000-0x0000000000537000-memory.dmpFilesize
476KB
-
memory/580-81-0x00000000004C0000-0x0000000000537000-memory.dmpFilesize
476KB
-
memory/676-86-0x0000000000000000-mapping.dmp
-
memory/1052-75-0x0000000000420A9C-mapping.dmp
-
memory/1172-67-0x0000000000000000-mapping.dmp
-
memory/1900-65-0x00000000005B0000-0x00000000006E3000-memory.dmpFilesize
1.2MB
-
memory/1900-64-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1900-56-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1900-63-0x0000000000400000-0x0000000000426E00-memory.dmpFilesize
155KB
-
memory/1900-62-0x00000000004A0000-0x00000000005A2000-memory.dmpFilesize
1.0MB
-
memory/1900-60-0x0000000000420A9C-mapping.dmp
-
memory/1900-59-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1900-57-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB