Overview

overview

10

Static

static

86325448ef...45.exe

windows7-x64

10

86325448ef...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe

  • Size

    890KB

  • MD5

    330e1ea9e2f3ad4e0b121bc63cf0cb77

  • SHA1

    58d7e7d8fcb338b3cae80ab108aebb8f540cd9d5

  • SHA256

    86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345

  • SHA512

    42ccf64dd96fff1804e0c317314a94b88b9e44a31b54eb4ddc6e23ea19d80b8a076813d0621a801604ac31a33fa1e0b3b5c4d69fa8f533e6caf2d8b1f2af0229

  • SSDEEP

    24576:zqhcLJWZ4msH4lItbCWuG16llyBd7TSSrM+9Nb:WhQJWZ4msYS5AG16uDBI8Nb

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-udoiicl.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. LMIMXI3-3F2PY3U-MKVW6ZZ-FDOBT5X-6KSAPI3-HY4PK7Z-CHQHHI3-ZUU7YRX 4J6IDTJ-E32ZHUC-6XTPH3N-7T3DEJF-7ZUOLAQ-GWD7NOK-VZ4ACKD-DHGJ5DY VTVIWDK-QR5PFJ6-IM3YJDX-JJ2C6V3-HAR2F3X-YFH4V5N-UBGTC6L-6DRMX5G Follow the instructions on the server.
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1300
    • C:\Users\Admin\AppData\Local\Temp\86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe
      "C:\Users\Admin\AppData\Local\Temp\86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1636
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {DAA82CA9-558B-44FA-9166-92B6BED28F8F} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
        C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:852

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\qrsyusl
      Filesize

      654B

      MD5

      b7b15a2af8d6476580efba3782fbdb69

      SHA1

      aa09fd2a545f5e97f1f8c944ea58ce3140e1c1c7

      SHA256

      16743325838df636126e9dbadab28bc4924a867f5aaef5042bcef8d7085d38d5

      SHA512

      685931ef8a231cabaae002e75a6a4c65e2c02c0ff8f3493b5a1f3d89b7e285f538b7447c97f15bff312ba122689360fa3cbac92b7e410db9b078b851e2bbcce4

      Download Submit
    • C:\ProgramData\Adobe\qrsyusl
      Filesize

      654B

      MD5

      b7b15a2af8d6476580efba3782fbdb69

      SHA1

      aa09fd2a545f5e97f1f8c944ea58ce3140e1c1c7

      SHA256

      16743325838df636126e9dbadab28bc4924a867f5aaef5042bcef8d7085d38d5

      SHA512

      685931ef8a231cabaae002e75a6a4c65e2c02c0ff8f3493b5a1f3d89b7e285f538b7447c97f15bff312ba122689360fa3cbac92b7e410db9b078b851e2bbcce4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
      Filesize

      890KB

      MD5

      330e1ea9e2f3ad4e0b121bc63cf0cb77

      SHA1

      58d7e7d8fcb338b3cae80ab108aebb8f540cd9d5

      SHA256

      86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345

      SHA512

      42ccf64dd96fff1804e0c317314a94b88b9e44a31b54eb4ddc6e23ea19d80b8a076813d0621a801604ac31a33fa1e0b3b5c4d69fa8f533e6caf2d8b1f2af0229

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
      Filesize

      890KB

      MD5

      330e1ea9e2f3ad4e0b121bc63cf0cb77

      SHA1

      58d7e7d8fcb338b3cae80ab108aebb8f540cd9d5

      SHA256

      86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345

      SHA512

      42ccf64dd96fff1804e0c317314a94b88b9e44a31b54eb4ddc6e23ea19d80b8a076813d0621a801604ac31a33fa1e0b3b5c4d69fa8f533e6caf2d8b1f2af0229

      Download Submit
    • memory/592-67-0x0000000000650000-0x00000000006C7000-memory.dmp
      Filesize

      476KB

      Download
    • memory/592-69-0x0000000000650000-0x00000000006C7000-memory.dmp
      Filesize

      476KB

      Download
    • memory/852-63-0x00000000016F0000-0x0000000001722000-memory.dmp
      Filesize

      200KB

      Download
    • memory/852-60-0x0000000000000000-mapping.dmp
      Download
    • memory/852-64-0x0000000000400000-0x00000000004E3000-memory.dmp
      Filesize

      908KB

      Download
    • memory/852-66-0x0000000003120000-0x000000000336B000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1300-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-54-0x00000000762F1000-0x00000000762F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-58-0x00000000044D0000-0x000000000471B000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1636-57-0x00000000042B0000-0x00000000044CA000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1636-56-0x0000000000400000-0x00000000004E3000-memory.dmp
      Filesize

      908KB

      Download
    • memory/1636-55-0x0000000002AD0000-0x0000000002B02000-memory.dmp
      Filesize

      200KB

      Download