Overview

overview

10

Static

static

b8ee83f09c...e0.exe

windows7-x64

10

b8ee83f09c...e0.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0.exe

  • Size

    939KB

  • MD5

    d9b017b1800c44d367ff21125a528d17

  • SHA1

    c01d613dc8bf2e251b7d3e6180e01895f175697c

  • SHA256

    b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

  • SHA512

    9a0b22b4ff1f73a64e39c94a47eb8d1eabd13e6909add29d921130b1549b65a806fd8b62e2e30f1fc1e882f6ba44f23b2f664428b82ffc7a6566fc9d322e01a9

  • SSDEEP

    24576:+/5UCvsU0yUU1Rm2k/gqTT8MfECZPcxvSD:EeCvszrU1HCg0TcCZP/D

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tswflmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. JFXKG6Y-MPOHA2W-CGL3N45-A5UHDTS-4LCAMV6-OXCE7DH-7SHGQ3J-IAYGW6N WMBLFAB-NRVRJ73-6LS5BLC-CWJYRPQ-JSN76U5-HTW4IUB-O7VECON-J3IO6RG A7LOSS4-OMXKZ7J-7222MAP-NFLGJBQ-MPXTH6L-LPXHC4J-NWISC4S-KUR5KAQ Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-tswflmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. JFXKG6Y-MPOHA2W-CGL3N45-A5UHDTS-4LCAMV6-OXCE7DH-7SHGQ3J-IAYGW6N WMBLFAB-NRVRJ73-6LS5BLC-CWJYRPQ-JSN76U5-HTW4IUB-O7VECON-J3IO6RG A7LOSS4-OMXKZ7J-7222MAP-NFLGJBQ-MPXT7PL-DWXHC4J-NWISC4S-KUR5FAB Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0.exe
      "C:\Users\Admin\AppData\Local\Temp\b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1996
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:588
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {777DBD3A-6D1B-4B94-A098-500748682F07} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
        C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows all
          3⤵
          • Interacts with shadow copies
          PID:1480

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      eae6483054805bf4fea2820d8bea9506

      SHA1

      f90be4d794d357836cbf540253e725b5c79ea742

      SHA256

      a9ff39b3a48b20ebb9c088eb7b2df60bcca87adec617f3c94b6cf4ddf7dda2f2

      SHA512

      f769027b63b8bf9f438a0c32ec2c35e6cb548dd9eb65b022d2a253a6d6d56454e503ce4e8008a0e7b52859b28272e38c7294e15eee05c38abae6a554bebba6bf

      Download Submit
    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      eae6483054805bf4fea2820d8bea9506

      SHA1

      f90be4d794d357836cbf540253e725b5c79ea742

      SHA256

      a9ff39b3a48b20ebb9c088eb7b2df60bcca87adec617f3c94b6cf4ddf7dda2f2

      SHA512

      f769027b63b8bf9f438a0c32ec2c35e6cb548dd9eb65b022d2a253a6d6d56454e503ce4e8008a0e7b52859b28272e38c7294e15eee05c38abae6a554bebba6bf

      Download Submit
    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      3cb1e26ee9ce95e7e330daa5fe81c3ea

      SHA1

      f869a5dc9031609713cc3b12847d042a013d9287

      SHA256

      dfa09f07828538a8deb9fefee0b0a03bd6f5980d1c20bbf9feb6cf445862cd99

      SHA512

      3000ee71a4887ba58a8b3d6331c871a036e9a7dfa537b799fedd6ebc4ea4f621b929a8b92ee16228fc2998d32e54d305fba2e6f57044d73077d58b2f161a5296

      Download Submit
    • C:\ProgramData\Microsoft Help\aubdarb
      Filesize

      654B

      MD5

      d2bc1bf996cb95a15e242ca07aad4ec8

      SHA1

      fc3e971435c7205a7a470d0256b616e5babe1c12

      SHA256

      418e6c48e52878159457c69241a727deea8dedd6b16c45f7a49a823f002292ba

      SHA512

      0f9b46c57b9709e5db0a3528b3715f1133abdea30f5356788fd300113e010a0212825fa8c3cc8f33f29c13520418983869d3effe03c85aaa2daa72a66aeb634c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
      Filesize

      939KB

      MD5

      d9b017b1800c44d367ff21125a528d17

      SHA1

      c01d613dc8bf2e251b7d3e6180e01895f175697c

      SHA256

      b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

      SHA512

      9a0b22b4ff1f73a64e39c94a47eb8d1eabd13e6909add29d921130b1549b65a806fd8b62e2e30f1fc1e882f6ba44f23b2f664428b82ffc7a6566fc9d322e01a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
      Filesize

      939KB

      MD5

      d9b017b1800c44d367ff21125a528d17

      SHA1

      c01d613dc8bf2e251b7d3e6180e01895f175697c

      SHA256

      b8ee83f09c15c7a11f5c0a7fa686cf0cfa7f561e8d7d9dfb303cbfc2bce246e0

      SHA512

      9a0b22b4ff1f73a64e39c94a47eb8d1eabd13e6909add29d921130b1549b65a806fd8b62e2e30f1fc1e882f6ba44f23b2f664428b82ffc7a6566fc9d322e01a9

      Download Submit
    • C:\Users\Admin\Desktop\BlockDebug.XLSB.tswflmn
      Filesize

      256KB

      MD5

      db54639c62155872ecd1733b98a00095

      SHA1

      d99b3f794cae086e37040bbd5490d09c36da8938

      SHA256

      7191df8ed1b931002edabd25e88443e5ea4c0bdc437d858bf80cb8e6cbc6abed

      SHA512

      24e2265060ef69b6f2a17c2cd898e01b75dccc5e28be78d81acab17ae39fe44f8a30a55dde39547f82a0b22277835ac4cbdfe17951149d4887b8049c699c88ba

      Download Submit
    • C:\Users\Admin\Desktop\ConvertInvoke.7Z.tswflmn
      Filesize

      304KB

      MD5

      e0104b8decab5e7d8e52b3b7a886f209

      SHA1

      ebffd984d9073d958ce6686ee8836a8114c6bbfb

      SHA256

      2a32384dc5130a35b4b6c587907d66400dd637ecb1488770233c5764a2ddf062

      SHA512

      b2b60069642d811e425908b05e20b5471bab61669563eaa3f050df744a7c064e622c9af6e466f0b1379c40b7939d6abdec9e06f35ac1315b6492ec61fb152d55

      Download Submit
    • C:\Users\Admin\Desktop\GroupJoin.VSD.tswflmn
      Filesize

      368KB

      MD5

      8c08a5cda2f70a482a3b7eb3fc6b6c0e

      SHA1

      7ca97e8c4401cac7a638cfb4ba01c8db1d2a778e

      SHA256

      50a49ecd3b1f3f613271d710807b40349eaf2f671a99f801be4b4470d3809d5d

      SHA512

      8227a8303c869a1632303088ae040103847f3d183f9a80b134136fe94801ca8eba4cb1ce1d913b6ba7c99ff9f8c22b10f010bb2928f499a0c2d05c90e2bcee31

      Download Submit
    • C:\Users\Admin\Desktop\InstallEdit.WPS.tswflmn
      Filesize

      192KB

      MD5

      1a23730211fb9de010580d6aaed60493

      SHA1

      7ee151c52fadc589a3fb8aff2eac18a2153acb60

      SHA256

      095db81bb26f778afe58a81fefa0b7a6ea4c7de403c7c16fc80ae893dafbe22a

      SHA512

      80fe74359b6133707cca38df985aa31eea9cfbb06dcf6f793a4cbc89476d5e14508061d7167ad7d12b821814a7e2295de9c0945c2174a400bbeb567f5adb49ac

      Download Submit
    • C:\Users\Admin\Desktop\MountPop.ZIP.tswflmn
      Filesize

      336KB

      MD5

      ee4cd1fbf9f553b3322d57c1dedd0bd1

      SHA1

      0d6e2cea212cb4227cd1aa2c235ce4ffbd36fd90

      SHA256

      e2e101d60006a7f611e28bcdae8e79fdfb2fbf3a79649d2dac7cd4793a7075cd

      SHA512

      83d03fd52e1cea1fa836a485563fb104fa11d0444f3981571f0818955c1df472ae8fa11df7152e9924f8b19648790070a7327dc159cd4104ded39ecfcf0c4894

      Download Submit
    • C:\Users\Admin\Desktop\OutConfirm.TXT.tswflmn
      Filesize

      272KB

      MD5

      50b77944c2b5e80f3050268790d6c175

      SHA1

      14b4fcada2835a48ec6849bc0b807e3cc7805a22

      SHA256

      1a44ae375b30373860573780bd5eb0e2a77b1ff2e02a24496fe2e160412cd736

      SHA512

      62e4fd4038cfa785a30b29ee9ffd6e133e7d910af0a29a2fed725b84c71c96b6a82f293d803746db338a549d44c4e4c0ce6894ddb09761fa93821b292cfa5aa0

      Download Submit
    • C:\Users\Admin\Desktop\ReadPublish.WPS.tswflmn
      Filesize

      544KB

      MD5

      332f6890c270b27b3561588bbc67e7da

      SHA1

      ea395794d655443d3c535f1880f0e9f8ecb065dc

      SHA256

      be848e5779f8fbc7331b2f1a4a50a8f8b5e4e9d18e4c372698e4f187d858b728

      SHA512

      dedc2f7fe16be56da8d2161a313e20ebbfe5752c18036bfa55b8b52eae2641e3c1a8849da37c3a04d7798b0a5d425b5abcb3b089bedeb6fc2b24ed9eab3fa609

      Download Submit
    • memory/588-84-0x0000000000000000-mapping.dmp
      Download
    • memory/596-68-0x00000000003F0000-0x0000000000467000-memory.dmp
      Filesize

      476KB

      Download
    • memory/596-71-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/596-66-0x00000000003F0000-0x0000000000467000-memory.dmp
      Filesize

      476KB

      Download
    • memory/952-65-0x0000000000400000-0x0000000002007000-memory.dmp
      Filesize

      28.0MB

      Download
    • memory/952-64-0x0000000002AC0000-0x0000000002D0B000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/952-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1480-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1996-56-0x0000000004C70000-0x0000000004E8A000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1996-55-0x00000000003D0000-0x00000000003D3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1996-57-0x0000000004E90000-0x00000000050DB000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1996-58-0x0000000000400000-0x0000000002007000-memory.dmp
      Filesize

      28.0MB

      Download
    • memory/1996-54-0x0000000075601000-0x0000000075603000-memory.dmp
      Filesize

      8KB

      Download