Overview

overview

10

Static

static

9005436ea8...62.exe

windows7-x64

10

9005436ea8...62.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe

  • Size

    742KB

  • MD5

    39c0e005cd2892a7b315081f9db6dc37

  • SHA1

    e9c2dda548ca0f53939d8bbf9228a92977964341

  • SHA256

    9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

  • SHA512

    e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

  • SSDEEP

    12288:T2359uMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:S5p126wFn8KL8tz4MZHVLJtimSimHROY

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-fpcelmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EJ23DKV-3ULGU5C-DZKZNYN-FMGPYLO-5BBNB3V-3F6GKAV-LOV7G37-WEGG74F VBH25TC-AHM5SXN-JSBJO64-NF56BJF-WHOYQDY-EODMLAC-ZNDKZYW-6LL5AAX SI4XGSP-NXCK3IW-I6LRE3U-JNXHAZD-HHIABSD-PKBKCIJ-G46CUBK-54EVLBP Follow the instructions on the server.
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-fpcelmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EJ23DKV-3ULGU5C-DZKZNYN-FMGPYLO-5BBNB3V-3F6GKAV-LOV7G37-WEGG74F VBH25TC-AHM5SXN-JSBJO64-NF56BJF-WHOYQDY-EODMLAC-ZNDKZYW-6LL5AAX SI4XGSP-NXCK3IW-I6LRE3U-JNXHAZD-HHIATDD-DSBKCIJ-G46CUBK-54EFHIQ Follow the instructions on the server.
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 2 IoCs
  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe
      "C:\Users\Admin\AppData\Local\Temp\9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1196
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1232
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E1C49DCA-2FD0-4029-B638-15B188CDE006} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
        C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      4cbf9a5efe7df62017c28ef4e4a248e8

      SHA1

      50851a02dba65bc1bf6672c4a5c455ba9ba49254

      SHA256

      a6991af3f085474f0110658ca8ff75842b3ae76a833a87f51fc7b34966c3dbb0

      SHA512

      1d5d588ea7ccbc2c96cced756b3d7d3b254206b0fa458fcb185cc2f9ca088aa744bea9456a1ef98d8413373b1a480c8d1a12dc54bb4ce2c2e52ed2b46d39df30

      Download Submit
    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      d7b51fd436e2e6e8f7d987838ce2340f

      SHA1

      5eab9886b8004651d2865a2bf6f56c66e22c7f0f

      SHA256

      32875dd352f9f83cb84aa137ade232fe70444c0654504496e1836a1e1a21007a

      SHA512

      72c3aeb400aa76eaaf666852accc97681dba19f0eacfef69ea281938c58c6c2804a94f31215e40271c437f2df7dfc8d31790e57402086f36e18b01e1e4665b5b

      Download Submit
    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      5477b8306b9357b5af6904be52c981a8

      SHA1

      1fd10eab62a6cf97dae80aed6b7e94eef6e074d7

      SHA256

      0415e91950861bf8138a6731d4f7964f76425b0538d06ce13df6399d732f5010

      SHA512

      b8923585be16c2c7fdeff23e0d38f93ec4afb770934b2b3de882a2d3ed1baf10246456ebff43d6f2e48bf9cd20d5e5094503581339d908430524764f86619cef

      Download Submit
    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      5477b8306b9357b5af6904be52c981a8

      SHA1

      1fd10eab62a6cf97dae80aed6b7e94eef6e074d7

      SHA256

      0415e91950861bf8138a6731d4f7964f76425b0538d06ce13df6399d732f5010

      SHA512

      b8923585be16c2c7fdeff23e0d38f93ec4afb770934b2b3de882a2d3ed1baf10246456ebff43d6f2e48bf9cd20d5e5094503581339d908430524764f86619cef

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
      Filesize

      742KB

      MD5

      39c0e005cd2892a7b315081f9db6dc37

      SHA1

      e9c2dda548ca0f53939d8bbf9228a92977964341

      SHA256

      9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

      SHA512

      e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
      Filesize

      742KB

      MD5

      39c0e005cd2892a7b315081f9db6dc37

      SHA1

      e9c2dda548ca0f53939d8bbf9228a92977964341

      SHA256

      9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

      SHA512

      e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

      Download Submit
    • C:\Users\Admin\Desktop\CheckpointOut.DOC.fpcelmn
      Filesize

      251KB

      MD5

      2685c244ba4fc2cc33e12cf6b84f888c

      SHA1

      4692b0cbd74aa005324ff60c9de6383622024164

      SHA256

      ae841accdfff2e067da94edf1ebd98b0cbc3a1ce0a45462fe319f761eb446f84

      SHA512

      05c45791574d6e861f31bf58b072f57662a368eaf5cdfab79e9c55e7eba589d7dc2709e9648d592248eb08bbeaaab4ccffb59f8e999d90b146cf268da6f52daa

      Download Submit
    • C:\Users\Admin\Desktop\ProtectPush.RTF.fpcelmn
      Filesize

      302KB

      MD5

      510da0301f42ed61df45833a65db1ab7

      SHA1

      0e28bea33d82b5e6231210805cc5a4a217299453

      SHA256

      09adbf7a7c444435544bdaa8e5f8dedd8f217ed4585effff0859fb577cf8b1d2

      SHA512

      7051ae6ce6ff73b1f02616c8ea9ccb6432b3b66125d1777bc12a505624c5d3871d6eb923f9210eae49d629fc5e1fd4b1fc9844bec732a8333948625b251443c8

      Download Submit
    • C:\Users\Admin\Desktop\RestartDebug.RAR.fpcelmn
      Filesize

      149KB

      MD5

      bd143788b117b30663cb89e310240840

      SHA1

      0380f3ad6037fe939f2a369596458937156c4773

      SHA256

      99f21c40ffc9023dce3649113d9345437f8da87bf8712a146185d5f5ca09876c

      SHA512

      bdc4d3bfe11642198dd81aa573fa06cc3067d090f1735d37472301e907c03a9b0013048da54485a948ab8a5338c30d893878845935db9ef87f0d612b86f89535

      Download Submit
    • C:\Users\Admin\Desktop\WriteRemove.ODP.fpcelmn
      Filesize

      234KB

      MD5

      49d7ae8d1010aa002966ac635cf5c743

      SHA1

      eb925c66db8edca39c77702293be2e4721dd9ebf

      SHA256

      871af1992857e339bd7a7196f9d9734f2e791bc9d417ae04c0ed92d09e8d8dd8

      SHA512

      6f11d153a70034830d2b547c45a5f0f45a8e0e79beab0aca65c512b39d7869ccdc03e0b9ecabf17427927ddce80e58451d8cdca22bfa056f264cedfd145b95d2

      Download Submit
    • memory/580-67-0x0000000000550000-0x00000000005C7000-memory.dmp
      Filesize

      476KB

      Download
    • memory/580-72-0x000007FEFC161000-0x000007FEFC163000-memory.dmp
      Filesize

      8KB

      Download
    • memory/580-69-0x0000000000550000-0x00000000005C7000-memory.dmp
      Filesize

      476KB

      Download
    • memory/1048-66-0x0000000000FF0000-0x000000000123B000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1048-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1196-58-0x00000000023F0000-0x000000000263B000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1196-57-0x00000000021D0000-0x00000000023EA000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1196-55-0x0000000000400000-0x00000000004BC000-memory.dmp
      Filesize

      752KB

      Download
    • memory/1196-56-0x0000000000401000-0x00000000004A5000-memory.dmp
      Filesize

      656KB

      Download
    • memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1232-80-0x0000000000000000-mapping.dmp
      Download