Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-11-2022 16:22
General
-
Target
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe
-
Size
654KB
-
MD5
f24e6374518fa7aed3d24a064a03bd23
-
SHA1
d0ffebdb6e5f97c2842d5578f889345b88224d5c
-
SHA256
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
-
SHA512
de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
SSDEEP
12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pnbblmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-pnbblmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\nydzthc.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe"C:\Users\Admin\AppData\Local\Temp\995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {88809D1D-C630-4D2A-940E-2A0909C1EEBE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5473b4cb4fffaf0208e15cbe0adc638c6
SHA1268c6faeb56daa16522dfdd1072019927974379b
SHA256d53684187616aad1238494f40d02a7ec1464e385342a83955a5826dbc110d907
SHA512113488c29758311925abd76034937f21a1a27cb2019fd6fdc366e00f75d9e0b57982e7220b5b943a2c09893635ad071f27d6a409dd959300f7e92c772a06c4cd
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5473b4cb4fffaf0208e15cbe0adc638c6
SHA1268c6faeb56daa16522dfdd1072019927974379b
SHA256d53684187616aad1238494f40d02a7ec1464e385342a83955a5826dbc110d907
SHA512113488c29758311925abd76034937f21a1a27cb2019fd6fdc366e00f75d9e0b57982e7220b5b943a2c09893635ad071f27d6a409dd959300f7e92c772a06c4cd
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5915a2b5d6321eb669f608a4aef045a44
SHA1e0007c2a0742774980119cc7df0ed104bc1f8d72
SHA2567249d9971a85d7a11680a6318e69c38f9f8457602c57617b3c01991862203047
SHA512fdbf5b101b1be6269ec561d57e8607977dca35ce9c112e7019413e0098b9cc0c7bf36c2e07cea3fd86c95f5ccd1cb0392b149b8cc9f22b2f1b3eb955ac5cf9fb
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5e0e1b0313aa43795a8beafd64fd1a3f7
SHA14924620bffb61cee1364c9ae2a8e65bc1fd41de7
SHA25644a69c44a1d9c61fbf62ab9752586cd523b3f5fa5fcf8ff4e09870f88226ad1d
SHA5121e2217dd0062af69f9459f3688b602f7b9472e21ffebc6bbbf5a7ccdab061db35f2f50018ad30c1e98a5973dc8293ba98ea3ea535b4bd2bcd463872a50e642a8
-
C:\ProgramData\nydzthc.htmlFilesize
62KB
MD5183d217f7ee43834ea51d2d4ccbc464c
SHA1143e54e98e1f446e6da609b978736cd7c1e76e9f
SHA2560481936c6207455282129fec0120c8e1a9393c4451033956950e8b9f91a57e96
SHA51226966f67f77c2c1c4bf1b6c4d33b6666926c53a8c8cf9863c1ff3403f4d01127e64a132b1670e4249d8a60dc200c3acab0886a373d433343f0d242966bb7a2ae
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD5f24e6374518fa7aed3d24a064a03bd23
SHA1d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD5f24e6374518fa7aed3d24a064a03bd23
SHA1d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD5f24e6374518fa7aed3d24a064a03bd23
SHA1d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
memory/520-68-0x0000000000000000-mapping.dmp
-
memory/580-65-0x00000000002B0000-0x0000000000327000-memory.dmpFilesize
476KB
-
memory/580-69-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/580-63-0x00000000002B0000-0x0000000000327000-memory.dmpFilesize
476KB
-
memory/940-62-0x0000000000780000-0x00000000009CB000-memory.dmpFilesize
2.3MB
-
memory/940-58-0x0000000000000000-mapping.dmp
-
memory/1168-75-0x0000000000000000-mapping.dmp
-
memory/1176-76-0x0000000000000000-mapping.dmp
-
memory/1176-80-0x0000000000BE0000-0x0000000000E2B000-memory.dmpFilesize
2.3MB
-
memory/1976-56-0x00000000008A0000-0x0000000000AEB000-memory.dmpFilesize
2.3MB
-
memory/1976-54-0x0000000000680000-0x000000000089A000-memory.dmpFilesize
2.1MB
-
memory/1976-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB