ctblocker | 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Size

181KB
MD5

388c279f454dc300cd9c809c6a933f86
SHA1

a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA256

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA512

8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
SSDEEP

3072:sfKigMo5+zbn0vSXWS1qh2BNqF728MDEbpmPu4:zv5+f0amkBa72ND04

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. GNHKVPO-Q6S44IW-WH5K62A-P7V5SGC-44FMQOP-GKVK4BD-VUV6OGD-M7KQQX2 JQZI5P5-6L3K3DQ-5BP2Q2Q-DFKP7ZX-4SU5FIH-PGSCDKL-SRBJBDA-TTDR3L6 ZCHRK3S-55RPLNF-3DLPUJI-UFFEC3P-QYZMOZJ-CC73AFW-NHC5KVP-WJXHXTN Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-pipalmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. GNHKVPO-Q6S44IW-WH5K62A-P7V5SGC-44FMQOP-GKVK4BD-VUV6OGD-M7KQQX2 JQZI5P5-6L3K3DQ-5BP2Q2Q-DFKP7ZX-4SU5FIH-PGSCDKL-SRBJBDA-TTDR3L6 ZCHRK3S-55RPLNF-3DLPUJI-UFFEC3P-QYZM7LJ-KV73AFW-NHC5KVP-WJXX5YJ Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\ProgramData\nydzthc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

pcrcyge.exepcrcyge.EXEpcrcyge.EXEpcrcyge.EXE

pid process

952 pcrcyge.exe
700 pcrcyge.EXE
1280 pcrcyge.EXE
1736 pcrcyge.EXE

pid	process
952	pcrcyge.exe
700	pcrcyge.EXE
1280	pcrcyge.EXE
1736	pcrcyge.EXE

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ResolveUnblock.CRW.pipalmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DisconnectSkip.CRW.pipalmn	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pcrcyge.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	pcrcyge.EXE

Loads dropped DLL 9 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe
268	WerFault.exe
268	WerFault.exe
268	WerFault.exe
268	WerFault.exe
268	WerFault.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

pcrcyge.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pcrcyge.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-pipalmn.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exepcrcyge.exepcrcyge.EXE

description	pid	process	target process
PID 1996 set thread context of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 952 set thread context of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 1280 set thread context of 1736	1280	pcrcyge.EXE	pcrcyge.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1756	1996	WerFault.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
1188	952	WerFault.exe	pcrcyge.exe
268	1280	WerFault.exe	pcrcyge.EXE

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1704 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

pcrcyge.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main pcrcyge.EXE

pid	process
1704	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	pcrcyge.EXE

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXEpcrcyge.EXE

pid	process
2024	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE
700	pcrcyge.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

pcrcyge.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	700	pcrcyge.EXE
Token: SeDebugPrivilege	700	pcrcyge.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pcrcyge.EXE

pid process

1736 pcrcyge.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pcrcyge.EXE

pid process

1736 pcrcyge.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exepcrcyge.exepcrcyge.EXEpcrcyge.EXE

pid process

1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
952 pcrcyge.exe
1280 pcrcyge.EXE
1736 pcrcyge.EXE
1736 pcrcyge.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
1736	pcrcyge.EXE

pid	process
1736	pcrcyge.EXE

pid	process
1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
952	pcrcyge.exe
1280	pcrcyge.EXE
1736	pcrcyge.EXE
1736	pcrcyge.EXE

pid	process
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exetaskeng.exepcrcyge.exepcrcyge.EXEsvchost.exepcrcyge.EXE

description	pid	process	target process
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 2024	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 1996 wrote to memory of 1756	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	WerFault.exe
PID 1996 wrote to memory of 1756	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	WerFault.exe
PID 1996 wrote to memory of 1756	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	WerFault.exe
PID 1996 wrote to memory of 1756	1996	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	WerFault.exe
PID 1768 wrote to memory of 952	1768	taskeng.exe	pcrcyge.exe
PID 1768 wrote to memory of 952	1768	taskeng.exe	pcrcyge.exe
PID 1768 wrote to memory of 952	1768	taskeng.exe	pcrcyge.exe
PID 1768 wrote to memory of 952	1768	taskeng.exe	pcrcyge.exe
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 700	952	pcrcyge.exe	pcrcyge.EXE
PID 952 wrote to memory of 1188	952	pcrcyge.exe	WerFault.exe
PID 952 wrote to memory of 1188	952	pcrcyge.exe	WerFault.exe
PID 952 wrote to memory of 1188	952	pcrcyge.exe	WerFault.exe
PID 952 wrote to memory of 1188	952	pcrcyge.exe	WerFault.exe
PID 700 wrote to memory of 600	700	pcrcyge.EXE	svchost.exe
PID 600 wrote to memory of 1764	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1764	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1764	600	svchost.exe	DllHost.exe
PID 700 wrote to memory of 1284	700	pcrcyge.EXE	Explorer.EXE
PID 700 wrote to memory of 1704	700	pcrcyge.EXE	vssadmin.exe
PID 700 wrote to memory of 1704	700	pcrcyge.EXE	vssadmin.exe
PID 700 wrote to memory of 1704	700	pcrcyge.EXE	vssadmin.exe
PID 700 wrote to memory of 1704	700	pcrcyge.EXE	vssadmin.exe
PID 700 wrote to memory of 1280	700	pcrcyge.EXE	pcrcyge.EXE
PID 700 wrote to memory of 1280	700	pcrcyge.EXE	pcrcyge.EXE
PID 700 wrote to memory of 1280	700	pcrcyge.EXE	pcrcyge.EXE
PID 700 wrote to memory of 1280	700	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 1736	1280	pcrcyge.EXE	pcrcyge.EXE
PID 1280 wrote to memory of 268	1280	pcrcyge.EXE	WerFault.exe
PID 1280 wrote to memory of 268	1280	pcrcyge.EXE	WerFault.exe
PID 1280 wrote to memory of 268	1280	pcrcyge.EXE	WerFault.exe
PID 1280 wrote to memory of 268	1280	pcrcyge.EXE	WerFault.exe
PID 600 wrote to memory of 1048	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1048	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1048	600	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1284

C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 228
3⤵
- Program crash
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1048

C:\Windows\system32\taskeng.exe
taskeng.exe {1B50EDA9-BC0B-4BD1-9BD4-BAC5EA014372} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1704

C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 228
5⤵
- Loads dropped DLL
- Program crash
PID:268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 204
3⤵
- Loads dropped DLL
- Program crash
PID:1188

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
4997072d79fbd79bbf908cfc01d4cd8b

SHA1
7482e5e53065c57b8e1629e986665af8e4ae6b0b

SHA256
20cf006506c21a0fbe063ff833c2a254f34c47c87c2b4ebe897e22bfe62dcddc

SHA512
85631b73be56ba048f0142aef4e4e567fbb12de0356f9b411dc9ba15f6facf0e14a07b65cacc6da05cfa20212586d609265eaa2e55e0ed4b5ba39ca413711095

Download Submit
C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
4997072d79fbd79bbf908cfc01d4cd8b

SHA1
7482e5e53065c57b8e1629e986665af8e4ae6b0b

SHA256
20cf006506c21a0fbe063ff833c2a254f34c47c87c2b4ebe897e22bfe62dcddc

SHA512
85631b73be56ba048f0142aef4e4e567fbb12de0356f9b411dc9ba15f6facf0e14a07b65cacc6da05cfa20212586d609265eaa2e55e0ed4b5ba39ca413711095

Download Submit
C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
5b1e938e957dd848d2c57b6bada1f9f2

SHA1
4d910a85a4a64ecc9d816e6e7d688ef772deaaff

SHA256
c155c7eee3b04188ad65b34da61a286af926c1538a40e5cc4da3aff2580ffe72

SHA512
f85e7f93e9554873e825baeaf006a5598806688b6d60b82ff507d523dc55a816dd1029ed3f8aff2151fb68b35abff3b526b4f85d895061ae35c284c54bd196c6

Download Submit
C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
5b1e938e957dd848d2c57b6bada1f9f2

SHA1
4d910a85a4a64ecc9d816e6e7d688ef772deaaff

SHA256
c155c7eee3b04188ad65b34da61a286af926c1538a40e5cc4da3aff2580ffe72

SHA512
f85e7f93e9554873e825baeaf006a5598806688b6d60b82ff507d523dc55a816dd1029ed3f8aff2151fb68b35abff3b526b4f85d895061ae35c284c54bd196c6

Download Submit
C:\ProgramData\nydzthc.html
Filesize
62KB

MD5
34026a3de3eb530b8f97fb49884effec

SHA1
d1fa8dcdd85939b00f2024ac406dd5554fb0b7af

SHA256
7493b68956b1539478b73521f45cf873bce47191ea37e2f5d3da9daef9bf6c37

SHA512
b1f04a3dce8d1ca15c3bcfd50ee80b7def27d61516eb5201670289e66a3ff044ae4357814519ff3d8493f82773812ea7786cfce2ea0d0d5df58d68aa03ec9f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
memory/268-112-0x0000000000000000-mapping.dmp

Download
memory/600-93-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/600-87-0x0000000000450000-0x00000000004C7000-memory.dmp

Filesize
476KB

Download
memory/600-89-0x0000000000450000-0x00000000004C7000-memory.dmp

Filesize
476KB

Download
memory/700-86-0x00000000005E0000-0x0000000000713000-memory.dmp

Filesize
1.2MB

Download
memory/700-76-0x0000000000420A9C-mapping.dmp

Download
memory/952-68-0x0000000000000000-mapping.dmp

Download
memory/1048-121-0x0000000000000000-mapping.dmp

Download
memory/1188-79-0x0000000000000000-mapping.dmp

Download
memory/1280-100-0x0000000000000000-mapping.dmp

Download
memory/1704-99-0x0000000000000000-mapping.dmp

Download
memory/1736-108-0x0000000000420A9C-mapping.dmp

Download
memory/1736-118-0x00000000005B0000-0x00000000006E3000-memory.dmp

Filesize
1.2MB

Download
memory/1756-65-0x0000000000000000-mapping.dmp

Download
memory/1764-92-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2024-66-0x0000000000400000-0x0000000000426E00-memory.dmp

Filesize
155KB

Download
memory/2024-64-0x0000000000430000-0x0000000000563000-memory.dmp

Filesize
1.2MB

Download
memory/2024-63-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/2024-62-0x0000000000220000-0x0000000000322000-memory.dmp

Filesize
1.0MB

Download
memory/2024-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-60-0x0000000000420A9C-mapping.dmp

Download
memory/2024-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads