Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
26-11-2022 13:04
General
-
Target
0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303.exe
-
Size
748KB
-
MD5
233f3620139e38ec5ae44f2ea73b2122
-
SHA1
4e582a1411167b7eb59633fe3102c4c1cd19b92f
-
SHA256
0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
-
SHA512
76764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
-
SSDEEP
12288:geWzt13drPsKlgTA0Ow/WnX5m9stu1EgpU55jgG4HdRUdWQiHL:gee4KCOznX5R4KgQ5RBC
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-kfkizxi.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-kfkizxi.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303.exe"C:\Users\Admin\AppData\Local\Temp\0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303.exe"C:\Users\Admin\AppData\Local\Temp\0e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B02C6DA4-C3EC-4F54-B3CA-BC335CC07B71} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD5f2b839d2e7c7e6c28552ba143781e31e
SHA11f22373d1e3f685b61f742b80ec443a1a5bcb4f2
SHA2562190bbf792d19c26120015209846bb55ec8981c914e27589d0ee09d72dde245c
SHA51250d907892832c90a5018245055a2a85fc8a0314d9797ab9293f56fdf90ea9cc867610dfc161d8223628bbac42c5178735077a1438a1e6235e3e9b1117b6e52a8
-
Filesize
654B
MD5f2b839d2e7c7e6c28552ba143781e31e
SHA11f22373d1e3f685b61f742b80ec443a1a5bcb4f2
SHA2562190bbf792d19c26120015209846bb55ec8981c914e27589d0ee09d72dde245c
SHA51250d907892832c90a5018245055a2a85fc8a0314d9797ab9293f56fdf90ea9cc867610dfc161d8223628bbac42c5178735077a1438a1e6235e3e9b1117b6e52a8
-
Filesize
654B
MD56700f3faa0a777b35ffb526ad2a08df3
SHA1bd8758cb0cc7e42b649144fe226b3351d985a66b
SHA25643ab79c8a4590e616ba7d0b91e7a337570ba4274888b3c4b67f5da3554542fec
SHA512032ebe42e2a8fa21d2ce6f610d3190cfc8e53bdd2f81adad633335cec01d9f57989e307b68bbbd62446a878118515ef39b03799252f76ecd59af30fa09cf4f9e
-
Filesize
654B
MD512fa497b5b1f28ceff0b7a3cf1c050df
SHA1f2e4cd30e598081a17cc85c6f8ad09c9f9549395
SHA25653726e071dbacaedf15f2051b4a6c5594f83bd0746196e6c815d0fad59181e73
SHA5123c659091d2afd8865c5b36e3df3dda0898cc104ec31ecc96a1bd25323edf3410b3dd95911b5e9ceb87085b53b386ef474aa4591540a25b4465014cedc455452b
-
Filesize
62KB
MD54204c9919b69185cf7ce00770d910213
SHA1b54093ed8a6758c3ab482504b41c01b6516b6e23
SHA256c04e3130bab0d880055f8b13accc0ab6e0a0a1e76bc39012ae1669fbb7033a45
SHA5122c0cddbc8107e1010668ddbea249e125cdf0302f8314869abc52cf5fc8a4370a855928163987baf5c5aa6e94d843baae243051aae3ac7745c569d84a4ae95d4c
-
Filesize
748KB
MD5233f3620139e38ec5ae44f2ea73b2122
SHA14e582a1411167b7eb59633fe3102c4c1cd19b92f
SHA2560e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
SHA51276764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
-
Filesize
748KB
MD5233f3620139e38ec5ae44f2ea73b2122
SHA14e582a1411167b7eb59633fe3102c4c1cd19b92f
SHA2560e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
SHA51276764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
-
Filesize
748KB
MD5233f3620139e38ec5ae44f2ea73b2122
SHA14e582a1411167b7eb59633fe3102c4c1cd19b92f
SHA2560e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
SHA51276764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
-
Filesize
748KB
MD5233f3620139e38ec5ae44f2ea73b2122
SHA14e582a1411167b7eb59633fe3102c4c1cd19b92f
SHA2560e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
SHA51276764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
-
Filesize
748KB
MD5233f3620139e38ec5ae44f2ea73b2122
SHA14e582a1411167b7eb59633fe3102c4c1cd19b92f
SHA2560e4893b6d43728b8d7b9c1483ac5aa03eaa2be552963703369461bb77e653303
SHA51276764469bf253fe56a8c9d543ce327b4bdb60a058041dcd97ceebc9d47999e47221326315d7616fb04dd19376ed64a7857f6f06ce7fa7fbcb841873044262593
-
Filesize
3KB
MD5a367cc8aa7c0caba4e57a29f382bfc84
SHA1b54c5310376d79c2fb490bde025dff492d6ff553
SHA25605a72a235dd1e02e3a5b39a098fd0697749d223eef9e5b6e27ff5a71b10a9a4b
SHA51211fa1c4c34e988f133325d5225228f4f83527a08e988ee18461b78832c1d712b266d6034a6f2952e429c3b090c200bed739affdd30548ef62e3def5cb306700c
-
Filesize
1KB
MD562c0d8d5c5cab232e9f2d63ecd211715
SHA17c9685b13dd50fbc0c92d64a971a8a04af6d4071
SHA256f52aba95aee622724eb78d6126a1da557d406f7803ca49d3b01a11c52823eb9f
SHA5120c21ea341fffdf266e4b19c218d4310bdc651194e1ee8840242c6194c6f77765629f3086116546ac83cf6c986d52f1266989bc029ce56fb3c12d66b6a8087529
-
Filesize
554B
MD54319f5f6924314e4503cc8f1893737ee
SHA1900f44a53190da879aa0b9c70b55efe00c4668d4
SHA256d4d05ac908a414c628501ccba75dcd86da86c4016cefa5afba1d1ebf3f968871
SHA512fdc6cb5e01820d1064874e6385af8fcb21e95406718e0d9c540a6ae4044b888f21a8b2296be274187061b5241c1488a74fdf882044915e3fcf034dd8b5beecc8
-
Filesize
394B
MD5b366c71b1134563874f37eff550881f7
SHA1c9b13c424e9f1efb9933f7f20ed52f9376c0567c
SHA2569e5764ffba00a814ded35480d0c4e74f847fb32e1c457f4d46e2a3f4b6f72af3
SHA512bc2c702b664479ca4537c8dfcd221be3371a3a914fca36180b3e7190788e17dc3914f307dc8ba1a1a02e8df019bd7fe6f93ef3f2185ce942f6043537483fd1e2
-
Filesize
66KB
MD592ffa507f5b3d9ae074c20894b724629
SHA199af0b89d400cfc7bbea381471d01f2599eb55a3
SHA2565aae1e7c174883e0ebd0220d8d5e897fc5fac10c4f86a1ad009640e24a6ae7c1
SHA51222192058ec654db53ed026dcbf568489315478c765ab6fd8f74304ca46019f5ce2272fff4bfaaabf8d49fbb02b7511812da40ee8211b60da508a4a980fa3641b
-
Filesize
66KB
MD592ffa507f5b3d9ae074c20894b724629
SHA199af0b89d400cfc7bbea381471d01f2599eb55a3
SHA2565aae1e7c174883e0ebd0220d8d5e897fc5fac10c4f86a1ad009640e24a6ae7c1
SHA51222192058ec654db53ed026dcbf568489315478c765ab6fd8f74304ca46019f5ce2272fff4bfaaabf8d49fbb02b7511812da40ee8211b60da508a4a980fa3641b
-
Filesize
66KB
MD592ffa507f5b3d9ae074c20894b724629
SHA199af0b89d400cfc7bbea381471d01f2599eb55a3
SHA2565aae1e7c174883e0ebd0220d8d5e897fc5fac10c4f86a1ad009640e24a6ae7c1
SHA51222192058ec654db53ed026dcbf568489315478c765ab6fd8f74304ca46019f5ce2272fff4bfaaabf8d49fbb02b7511812da40ee8211b60da508a4a980fa3641b
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
2.3MB
-
Filesize
657KB
-
Filesize
660KB
-
Filesize
2.3MB
-
Filesize
2.1MB
-
Filesize
660KB
-
Filesize
660KB
-
Filesize
2.3MB
