Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 21:42
Static task
static1
Behavioral task
behavioral1
Sample
86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe
Resource
win10v2004-20220812-en
General
-
Target
86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe
-
Size
890KB
-
MD5
330e1ea9e2f3ad4e0b121bc63cf0cb77
-
SHA1
58d7e7d8fcb338b3cae80ab108aebb8f540cd9d5
-
SHA256
86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345
-
SHA512
42ccf64dd96fff1804e0c317314a94b88b9e44a31b54eb4ddc6e23ea19d80b8a076813d0621a801604ac31a33fa1e0b3b5c4d69fa8f533e6caf2d8b1f2af0229
-
SSDEEP
24576:zqhcLJWZ4msH4lItbCWuG16llyBd7TSSrM+9Nb:WhQJWZ4msYS5AG16uDBI8Nb
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-udoiicl.txt
http://fizxfsi3cad3kn7v.onion.cab
http://fizxfsi3cad3kn7v.tor2web.org
http://fizxfsi3cad3kn7v.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 1 IoCs
Processes:
gejzibk.exepid process 852 gejzibk.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReadStart.RAW.udoiicl svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\RedoMount.RAW.udoiicl svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
gejzibk.exedescription ioc process File created C:\Windows\SysWOW64\´ð gejzibk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu gejzibk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini gejzibk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs gejzibk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini gejzibk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-udoiicl.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-udoiicl.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 9 IoCs
Processes:
gejzibk.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm gejzibk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\System gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties gejzibk.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties gejzibk.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exegejzibk.exepid process 1636 86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe 1636 86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe 852 gejzibk.exe 852 gejzibk.exe 852 gejzibk.exe 852 gejzibk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gejzibk.exedescription pid process Token: SeDebugPrivilege 852 gejzibk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
taskeng.exegejzibk.exesvchost.exedescription pid process target process PID 1336 wrote to memory of 852 1336 taskeng.exe gejzibk.exe PID 1336 wrote to memory of 852 1336 taskeng.exe gejzibk.exe PID 1336 wrote to memory of 852 1336 taskeng.exe gejzibk.exe PID 1336 wrote to memory of 852 1336 taskeng.exe gejzibk.exe PID 852 wrote to memory of 592 852 gejzibk.exe svchost.exe PID 592 wrote to memory of 1300 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1300 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1300 592 svchost.exe DllHost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Users\Admin\AppData\Local\Temp\86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe"C:\Users\Admin\AppData\Local\Temp\86325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {DAA82CA9-558B-44FA-9166-92B6BED28F8F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeC:\Users\Admin\AppData\Local\Temp\gejzibk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\qrsyuslFilesize
654B
MD5b7b15a2af8d6476580efba3782fbdb69
SHA1aa09fd2a545f5e97f1f8c944ea58ce3140e1c1c7
SHA25616743325838df636126e9dbadab28bc4924a867f5aaef5042bcef8d7085d38d5
SHA512685931ef8a231cabaae002e75a6a4c65e2c02c0ff8f3493b5a1f3d89b7e285f538b7447c97f15bff312ba122689360fa3cbac92b7e410db9b078b851e2bbcce4
-
C:\ProgramData\Adobe\qrsyuslFilesize
654B
MD5b7b15a2af8d6476580efba3782fbdb69
SHA1aa09fd2a545f5e97f1f8c944ea58ce3140e1c1c7
SHA25616743325838df636126e9dbadab28bc4924a867f5aaef5042bcef8d7085d38d5
SHA512685931ef8a231cabaae002e75a6a4c65e2c02c0ff8f3493b5a1f3d89b7e285f538b7447c97f15bff312ba122689360fa3cbac92b7e410db9b078b851e2bbcce4
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
890KB
MD5330e1ea9e2f3ad4e0b121bc63cf0cb77
SHA158d7e7d8fcb338b3cae80ab108aebb8f540cd9d5
SHA25686325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345
SHA51242ccf64dd96fff1804e0c317314a94b88b9e44a31b54eb4ddc6e23ea19d80b8a076813d0621a801604ac31a33fa1e0b3b5c4d69fa8f533e6caf2d8b1f2af0229
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
890KB
MD5330e1ea9e2f3ad4e0b121bc63cf0cb77
SHA158d7e7d8fcb338b3cae80ab108aebb8f540cd9d5
SHA25686325448efbd1fea5d260fe993fe640b44e604749dc479ca9b7ac1ec44607345
SHA51242ccf64dd96fff1804e0c317314a94b88b9e44a31b54eb4ddc6e23ea19d80b8a076813d0621a801604ac31a33fa1e0b3b5c4d69fa8f533e6caf2d8b1f2af0229
-
memory/592-67-0x0000000000650000-0x00000000006C7000-memory.dmpFilesize
476KB
-
memory/592-69-0x0000000000650000-0x00000000006C7000-memory.dmpFilesize
476KB
-
memory/852-63-0x00000000016F0000-0x0000000001722000-memory.dmpFilesize
200KB
-
memory/852-60-0x0000000000000000-mapping.dmp
-
memory/852-64-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/852-66-0x0000000003120000-0x000000000336B000-memory.dmpFilesize
2.3MB
-
memory/1300-72-0x0000000000000000-mapping.dmp
-
memory/1636-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1636-58-0x00000000044D0000-0x000000000471B000-memory.dmpFilesize
2.3MB
-
memory/1636-57-0x00000000042B0000-0x00000000044CA000-memory.dmpFilesize
2.1MB
-
memory/1636-56-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/1636-55-0x0000000002AD0000-0x0000000002B02000-memory.dmpFilesize
200KB