ctblocker | 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

Analysis

max time kernel
169s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Size

1.2MB
MD5

1aad30f76693aa8ec2fd2a9314b02125
SHA1

a199494ac4f065578323c1058e0f0cd5df563bc2
SHA256

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512

fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
SSDEEP

24576:ADqBNB/RLKAlkmrTgCQgoB/7nhYfxknKBCXzOvERcd8Gu7q:ADkpRkmvQgo9zS6nMv7+1u

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-ipiermb.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 2KXTTDI-7DLXGNY-3M4OPDC-EETECOZ-2BGXVC2-K3QZLXR-V7CF7KZ-CJOUH7H I5CTMGW-O2A34R5-HZVYUCM-HTST4BF-BFAOATF-4QV7NLT-AWZ55OG-GBPQXG7 QWLHT74-AVFZAZ7-U5GCTZW-DSFZQ4R-DEARQXL-EPDG4GN-LHUETSF-7LZLNCN Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\ProgramData\borcfwe.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Executes dropped EXE 5 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exeovfgrqj.exeovfgrqj.exeovfgrqj.exeovfgrqj.exe

pid process

3716 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
2740 ovfgrqj.exe
1988 ovfgrqj.exe
548 ovfgrqj.exe
5036 ovfgrqj.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExpandProtect.CRW.ipiermb	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnlockUnregister.CRW.ipiermb	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GrantOut.RAW.ipiermb	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UseRename.RAW.ipiermb	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ovfgrqj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ovfgrqj.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

ovfgrqj.exeovfgrqj.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ovfgrqj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	ovfgrqj.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ovfgrqj.exe.log	ovfgrqj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ovfgrqj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ovfgrqj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ovfgrqj.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ipiermb.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exeovfgrqj.exeovfgrqj.exe

description	pid	process	target process
PID 4584 set thread context of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 2740 set thread context of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 548 set thread context of 5036	548	ovfgrqj.exe	ovfgrqj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

ovfgrqj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ovfgrqj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ovfgrqj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ovfgrqj.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\GPU	ovfgrqj.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00300036003900360039006400370038002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exeovfgrqj.exe

pid	process
3716	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
3716	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe
1988	ovfgrqj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2576 Explorer.EXE

pid	process
2576	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ovfgrqj.exeovfgrqj.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1988	ovfgrqj.exe
Token: SeDebugPrivilege	1988	ovfgrqj.exe
Token: SeDebugPrivilege	548	ovfgrqj.exe
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ovfgrqj.exe

pid process

5036 ovfgrqj.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ovfgrqj.exe

pid process

5036 ovfgrqj.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ovfgrqj.exe

pid process

5036 ovfgrqj.exe
5036 ovfgrqj.exe

pid	process
5036	ovfgrqj.exe

pid	process
5036	ovfgrqj.exe

pid	process
5036	ovfgrqj.exe
5036	ovfgrqj.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exeovfgrqj.exeovfgrqj.exesvchost.exeovfgrqj.exe

description	pid	process	target process
PID 4584 wrote to memory of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 4584 wrote to memory of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 4584 wrote to memory of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 4584 wrote to memory of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 4584 wrote to memory of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 4584 wrote to memory of 3716	4584	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 2740 wrote to memory of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 2740 wrote to memory of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 2740 wrote to memory of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 2740 wrote to memory of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 2740 wrote to memory of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 2740 wrote to memory of 1988	2740	ovfgrqj.exe	ovfgrqj.exe
PID 1988 wrote to memory of 780	1988	ovfgrqj.exe	svchost.exe
PID 1988 wrote to memory of 2576	1988	ovfgrqj.exe	Explorer.EXE
PID 780 wrote to memory of 4404	780	svchost.exe	mousocoreworker.exe
PID 780 wrote to memory of 4404	780	svchost.exe	mousocoreworker.exe
PID 1988 wrote to memory of 548	1988	ovfgrqj.exe	ovfgrqj.exe
PID 1988 wrote to memory of 548	1988	ovfgrqj.exe	ovfgrqj.exe
PID 1988 wrote to memory of 548	1988	ovfgrqj.exe	ovfgrqj.exe
PID 548 wrote to memory of 5036	548	ovfgrqj.exe	ovfgrqj.exe
PID 548 wrote to memory of 5036	548	ovfgrqj.exe	ovfgrqj.exe
PID 548 wrote to memory of 5036	548	ovfgrqj.exe	ovfgrqj.exe
PID 548 wrote to memory of 5036	548	ovfgrqj.exe	ovfgrqj.exe
PID 548 wrote to memory of 5036	548	ovfgrqj.exe	ovfgrqj.exe
PID 548 wrote to memory of 5036	548	ovfgrqj.exe	ovfgrqj.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:4404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
"C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
"C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3716

C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
"C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
"C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe" -u
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
"C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\qzqqxbc
Filesize
654B

MD5
ae7ee19342179a365954cc3c557e3160

SHA1
3124aa333409806a05d263767c6f78646989f8c5

SHA256
69f5dc2da788c748b62730dd20bff0e3dbda8d9fe9bdc05ad9043a39dbc45b84

SHA512
ed81f4f93cd6df8a400ceee9356b91d99d1d2ea33890570f657435cd76d5f68c889d60be2c5805e0e284186f8bdba89e5b528bb9708ecec6b3625d4fd7e33c5f

Download Submit
C:\ProgramData\Oracle\qzqqxbc
Filesize
654B

MD5
ae7ee19342179a365954cc3c557e3160

SHA1
3124aa333409806a05d263767c6f78646989f8c5

SHA256
69f5dc2da788c748b62730dd20bff0e3dbda8d9fe9bdc05ad9043a39dbc45b84

SHA512
ed81f4f93cd6df8a400ceee9356b91d99d1d2ea33890570f657435cd76d5f68c889d60be2c5805e0e284186f8bdba89e5b528bb9708ecec6b3625d4fd7e33c5f

Download Submit
C:\ProgramData\Oracle\qzqqxbc
Filesize
654B

MD5
fda1fab97e467bfb010c9bafcbb08e9f

SHA1
0a0cd9ba8f035c7f91070d58927ce5bee6c39b0c

SHA256
a310ba36367e973ec869cdfeabe075033eab58403a441f68e43d0a5ff59f98df

SHA512
2a3d235f8784018a6dd8bd4b79de5cfd9714583fe4a1685f5e8bf47b7254851ab823af3ac335867586b2e26f5c9ed1f27884fb8e1f265b333632dcb6b1d36f13

Download Submit
C:\ProgramData\Oracle\qzqqxbc
Filesize
654B

MD5
a1b0b9b6f1cb091e54bc9d782e2736b0

SHA1
ee2c1b2d5be52c5f35abc013f62010afde9cb971

SHA256
bd994a4ca0c59943f8acacc4145295d80d1d3f5ba6b56556fe2c61257e631f31

SHA512
736325c999c6ef9d3bd3d91a986c02f3fb6427e0376f1adc37de67d7886c20b2252dd96c15cbed0de50a3e3e3c7c0ce977392796e7ff56a8594a65d906537384

Download Submit
C:\ProgramData\Oracle\qzqqxbc
Filesize
654B

MD5
13098299200feee6c8e3b2555df730b0

SHA1
233b40aede62d1c9cb916a0d2dd891f5323aaee7

SHA256
b1ee84efe6db4021061f0245d0c4a2cff6350c9f01474911fb8b9912fba42a7f

SHA512
f1fd0bc5e297a92c22df176d6c717ba2b31bce8b995f54620e7f37e346595b746efc65b184ad7119d5325237ba670bd0ae701b144e65a921befefda6819479a9

Download Submit
C:\ProgramData\borcfwe.html
Filesize
225KB

MD5
eb61ed8cf32d2f8e50f79c3ac1c158c7

SHA1
c939cc62a77a13b74cbfe649c16a4930cf5088ff

SHA256
713cf81cc1da981ced8c72e9fca3f8d0a7f5a1e14d06a70d895b934ffd483281

SHA512
64a76f7d574e7002519b859ebe3c6a1a35fef67d5a856b885c1e260ed0b4c40ca6ef496b585e74902bf354f39ba40243ae407a436cb9d843018168acca00eb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.ipiermb
Filesize
36KB

MD5
f372d1203f81ab37f60353db03c08305

SHA1
431a9ed984075d1080ef079b24599ddcb7794e18

SHA256
d5edfdd4fc9e03a7089bd1fecd49bf4ca9063dd61fc78a654894cc2186707045

SHA512
ae31956e5ad0db59bd2d7cfe5263e36f579d66123f989f361288833f11651400f93d52d1f03249ef5c63c9bcd1510a705532c8382657ca31a3dcf38dee8329dc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ovfgrqj.exe.log
Filesize
312B

MD5
023e5d9d5fd0491df718ec4ad9bebd12

SHA1
3e9f29444256c26d683c0f3544bcb568084ab082

SHA256
2c219f3587282c91af23370457b964104edb704f83fa547eb06cdb2f82049b74

SHA512
7864f718ecfda36465868e6794ff813c7541071f1179d3c2dc35d4beac1ad86d66decdfe2ed2a9d02338ccf07a51ac9dcf530a4fcdc6db78e8b17084327b394d

Download Submit
memory/548-165-0x0000000074290000-0x0000000074841000-memory.dmp

Filesize
5.7MB

Download
memory/548-162-0x0000000000000000-mapping.dmp

Download
memory/548-170-0x0000000074290000-0x0000000074841000-memory.dmp

Filesize
5.7MB

Download
memory/780-153-0x0000000038200000-0x0000000038277000-memory.dmp

Filesize
476KB

Download
memory/1988-152-0x0000000000FA0000-0x00000000011EB000-memory.dmp

Filesize
2.3MB

Download
memory/1988-144-0x0000000000000000-mapping.dmp

Download
memory/2740-151-0x00000000742A0000-0x0000000074851000-memory.dmp

Filesize
5.7MB

Download
memory/3716-141-0x00000000015C0000-0x000000000180B000-memory.dmp

Filesize
2.3MB

Download
memory/3716-140-0x00000000013A0000-0x00000000015BA000-memory.dmp

Filesize
2.1MB

Download
memory/3716-139-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3716-134-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3716-133-0x0000000000000000-mapping.dmp

Download
memory/4404-161-0x0000000000000000-mapping.dmp

Download
memory/4584-132-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4584-138-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/5036-166-0x0000000000000000-mapping.dmp

Download
memory/5036-174-0x00000000019A0000-0x0000000001BEB000-memory.dmp

Filesize
2.3MB

Download