ctblocker | 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7

Analysis

max time kernel
196s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
Size

698KB
MD5

438fee4986d75c2fb9a1f9239010f8ca
SHA1

c29e54756f10517557349c0bdb573d7847e00429
SHA256

4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
SHA512

ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
SSDEEP

12288:pQyHYh6UeeLrQp0/XoU8bTRsdi9JSZPLGhX9H1QO7l4n2A1muOhsXL:pQ6UeeLkMB8bTRskSjeXh+Ok7OhY

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mhgskmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 6WCRS77-DBOFNW4-JLVAU7U-T7VUYWU-SHSKRE6-DKLGWGB-BMOPMIH-Y5IIXRT 7Q4B7SU-DWQTEPV-BK6LEBN-NX6N6OC-D3JXPJG-7WCIWU3-3OGKCWT-AUY22OR LG7FZRX-66AFYWK-UWQRYCY-2WKSXNI-QHTTXKP-XJ4GPFG-XAOQARD-XAXW2PO Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-mhgskmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 6WCRS77-DBOFNW4-JLVAU7U-T7VUYWU-SHSKRE6-DKLGWGB-BMOPMIH-Y5IIXRT 7Q4B7SU-DWQTEPV-BK6LEBN-NX6N6OC-D3JXPJG-7WCIWU3-3OGKCWT-AUY22OR LG7FZRX-66AFYWK-UWQRYCY-2WKSXNI-QHTTGYP-774GPFG-XAOQARD-XAXG2FS Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\ProgramData\nydzthc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

pcrcyge.exepcrcyge.exepcrcyge.exepcrcyge.exe

pid process

1352 pcrcyge.exe
1172 pcrcyge.exe
1552 pcrcyge.exe
2016 pcrcyge.exe

pid	process
1352	pcrcyge.exe
1172	pcrcyge.exe
1552	pcrcyge.exe
2016	pcrcyge.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\JoinUnregister.RAW.mhgskmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\LimitBlock.RAW.mhgskmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatEnable.RAW.mhgskmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CopyApprove.CRW.mhgskmn	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pcrcyge.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	pcrcyge.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

pcrcyge.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pcrcyge.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-mhgskmn.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exepcrcyge.exepcrcyge.exe

description	pid	process	target process
PID 1908 set thread context of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1352 set thread context of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1552 set thread context of 2016	1552	pcrcyge.exe	pcrcyge.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mhgskmn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mhgskmn.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2044 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

pcrcyge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main pcrcyge.exe

pid	process
2044	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	pcrcyge.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exepcrcyge.exe

pid	process
1088	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe
1172	pcrcyge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

pcrcyge.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1172	pcrcyge.exe
Token: SeDebugPrivilege	1172	pcrcyge.exe
Token: SeShutdownPrivilege	1432	Explorer.EXE
Token: SeShutdownPrivilege	1432	Explorer.EXE
Token: SeShutdownPrivilege	1432	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pcrcyge.exe

pid process

2016 pcrcyge.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pcrcyge.exe

pid process

2016 pcrcyge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pcrcyge.exe

pid process

2016 pcrcyge.exe
2016 pcrcyge.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1432 Explorer.EXE

pid	process
2016	pcrcyge.exe

pid	process
2016	pcrcyge.exe

pid	process
2016	pcrcyge.exe
2016	pcrcyge.exe

pid	process
1432	Explorer.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exetaskeng.exepcrcyge.exepcrcyge.exesvchost.exepcrcyge.exe

description	pid	process	target process
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 1908 wrote to memory of 1088	1908	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe	4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
PID 908 wrote to memory of 1352	908	taskeng.exe	pcrcyge.exe
PID 908 wrote to memory of 1352	908	taskeng.exe	pcrcyge.exe
PID 908 wrote to memory of 1352	908	taskeng.exe	pcrcyge.exe
PID 908 wrote to memory of 1352	908	taskeng.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1352 wrote to memory of 1172	1352	pcrcyge.exe	pcrcyge.exe
PID 1172 wrote to memory of 596	1172	pcrcyge.exe	svchost.exe
PID 596 wrote to memory of 996	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 996	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 996	596	svchost.exe	DllHost.exe
PID 1172 wrote to memory of 1432	1172	pcrcyge.exe	Explorer.EXE
PID 1172 wrote to memory of 2044	1172	pcrcyge.exe	vssadmin.exe
PID 1172 wrote to memory of 2044	1172	pcrcyge.exe	vssadmin.exe
PID 1172 wrote to memory of 2044	1172	pcrcyge.exe	vssadmin.exe
PID 1172 wrote to memory of 2044	1172	pcrcyge.exe	vssadmin.exe
PID 1172 wrote to memory of 1552	1172	pcrcyge.exe	pcrcyge.exe
PID 1172 wrote to memory of 1552	1172	pcrcyge.exe	pcrcyge.exe
PID 1172 wrote to memory of 1552	1172	pcrcyge.exe	pcrcyge.exe
PID 1172 wrote to memory of 1552	1172	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 1552 wrote to memory of 2016	1552	pcrcyge.exe	pcrcyge.exe
PID 596 wrote to memory of 624	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 624	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 624	596	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1432

C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
"C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
"C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:624

C:\Windows\system32\taskeng.exe
taskeng.exe {18BC3B0D-879D-41B4-9059-326FFE2AEB07} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:2044

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
c4a1c21a2f3d29fe1b8f54be188f45cf

SHA1
d2f9b723345ac69a8514a8fd4dde0b9e844c94c8

SHA256
680d5d12fb9f8db1420fa7d3ad4fbc5fa73e9919ef3d44c3b5ba5e4e1dd09880

SHA512
a71772e985abcc2bac5b4c57311bb6b5b24a32de626559e807c5a49fac22a43f11b9b2ebcee384b0d2149cb0c0f56b88bf4e9802600032831b18143b22f07844

Download Submit
C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
c4a1c21a2f3d29fe1b8f54be188f45cf

SHA1
d2f9b723345ac69a8514a8fd4dde0b9e844c94c8

SHA256
680d5d12fb9f8db1420fa7d3ad4fbc5fa73e9919ef3d44c3b5ba5e4e1dd09880

SHA512
a71772e985abcc2bac5b4c57311bb6b5b24a32de626559e807c5a49fac22a43f11b9b2ebcee384b0d2149cb0c0f56b88bf4e9802600032831b18143b22f07844

Download Submit
C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
eecac3dedeb33ca0fb9a530eb4b84d56

SHA1
a0a4a3c88269b2b8e5ba95f5841668a7bbb39d37

SHA256
8bd922cd2914d2a846fbf55366da1d977df68c822dba5c80d0e918ef90a5fd2c

SHA512
ae770280dd18e33f71c5b495ff59be004ce7967ce2cf64c93eedf0957e002658c75cc7e03ffaffc9fb16acf796426240bed9143ba18d1baf77e2e3f0319ef783

Download Submit
C:\ProgramData\Package Cache\aubdarb
Filesize
654B

MD5
6c67509539c0adf29382407ff7cb7529

SHA1
4fa3f5b32af1aad012516477f82f5580e42e22db

SHA256
77004e3c7f7840c3bb56210f57cc05160bd3028a394157a4bc631a854c67acb6

SHA512
c9a2ddeab8c554159ebaa11d693a30f239911d17d11fc029a1f4fb00801b30afee409e43ad48c4070d4ea0eb1af5f8cf3add6833ce018776df916409fdd46fcd

Download Submit
C:\ProgramData\nydzthc.html
Filesize
62KB

MD5
f2504d5ce2252f663eaf9479d1fa59f0

SHA1
e127848391f013faa3979e10926cb89e357d59ae

SHA256
e9aecf0c300a5260f0780f2a0fbd0e92add34b7d5fa4b62e2ad22774841d566d

SHA512
111c4dd1a5126c500faab34d864e641c75985bcabb9a3c00ae3f81b17c83f94bc35348dd14b0271ca03a955d9c6294feda96a8910facdbb7b9982f1cfe5e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
698KB

MD5
438fee4986d75c2fb9a1f9239010f8ca

SHA1
c29e54756f10517557349c0bdb573d7847e00429

SHA256
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7

SHA512
ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
698KB

MD5
438fee4986d75c2fb9a1f9239010f8ca

SHA1
c29e54756f10517557349c0bdb573d7847e00429

SHA256
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7

SHA512
ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
698KB

MD5
438fee4986d75c2fb9a1f9239010f8ca

SHA1
c29e54756f10517557349c0bdb573d7847e00429

SHA256
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7

SHA512
ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
698KB

MD5
438fee4986d75c2fb9a1f9239010f8ca

SHA1
c29e54756f10517557349c0bdb573d7847e00429

SHA256
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7

SHA512
ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
698KB

MD5
438fee4986d75c2fb9a1f9239010f8ca

SHA1
c29e54756f10517557349c0bdb573d7847e00429

SHA256
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7

SHA512
ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598

Download Submit
memory/596-87-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/596-81-0x00000000004A0000-0x0000000000517000-memory.dmp

Filesize
476KB

Download
memory/596-83-0x00000000004A0000-0x0000000000517000-memory.dmp

Filesize
476KB

Download
memory/624-109-0x0000000000000000-mapping.dmp

Download
memory/996-86-0x0000000000000000-mapping.dmp

Download
memory/1088-64-0x0000000000AF0000-0x0000000000D3B000-memory.dmp

Filesize
2.3MB

Download
memory/1088-62-0x00000000008D0000-0x0000000000AEA000-memory.dmp

Filesize
2.1MB

Download
memory/1088-55-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1088-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1088-65-0x0000000000401000-0x00000000004A5000-memory.dmp

Filesize
656KB

Download
memory/1088-54-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1088-63-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1088-59-0x0000000000401FA3-mapping.dmp

Download
memory/1088-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1172-80-0x00000000007D0000-0x0000000000A1B000-memory.dmp

Filesize
2.3MB

Download
memory/1172-74-0x0000000000401FA3-mapping.dmp

Download
memory/1352-67-0x0000000000000000-mapping.dmp

Download
memory/1552-94-0x0000000000000000-mapping.dmp

Download
memory/2016-101-0x0000000000401FA3-mapping.dmp

Download
memory/2016-107-0x0000000000CE0000-0x0000000000F2B000-memory.dmp

Filesize
2.3MB

Download
memory/2044-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads