Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 16:22
Static task
static1
Behavioral task
behavioral1
Sample
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe
Resource
win10v2004-20220812-en
General
-
Target
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe
-
Size
654KB
-
MD5
f24e6374518fa7aed3d24a064a03bd23
-
SHA1
d0ffebdb6e5f97c2842d5578f889345b88224d5c
-
SHA256
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
-
SHA512
de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
SSDEEP
12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pnbblmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-pnbblmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\nydzthc.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
pcrcyge.exepcrcyge.exepid process 940 pcrcyge.exe 1176 pcrcyge.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\BackupImport.RAW.pnbblmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\EnterJoin.CRW.pnbblmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\RestorePush.CRW.pnbblmn svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pcrcyge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-pnbblmn.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pnbblmn.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pnbblmn.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1168 vssadmin.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exepcrcyge.exepid process 1976 995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe 940 pcrcyge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pcrcyge.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 940 pcrcyge.exe Token: SeDebugPrivilege 940 pcrcyge.exe Token: SeShutdownPrivilege 1268 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pcrcyge.exepid process 1176 pcrcyge.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pcrcyge.exepid process 1176 pcrcyge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pcrcyge.exepid process 1176 pcrcyge.exe 1176 pcrcyge.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
taskeng.exepcrcyge.exesvchost.exedescription pid process target process PID 944 wrote to memory of 940 944 taskeng.exe pcrcyge.exe PID 944 wrote to memory of 940 944 taskeng.exe pcrcyge.exe PID 944 wrote to memory of 940 944 taskeng.exe pcrcyge.exe PID 944 wrote to memory of 940 944 taskeng.exe pcrcyge.exe PID 940 wrote to memory of 580 940 pcrcyge.exe svchost.exe PID 580 wrote to memory of 520 580 svchost.exe DllHost.exe PID 580 wrote to memory of 520 580 svchost.exe DllHost.exe PID 580 wrote to memory of 520 580 svchost.exe DllHost.exe PID 940 wrote to memory of 1268 940 pcrcyge.exe Explorer.EXE PID 940 wrote to memory of 1168 940 pcrcyge.exe vssadmin.exe PID 940 wrote to memory of 1168 940 pcrcyge.exe vssadmin.exe PID 940 wrote to memory of 1168 940 pcrcyge.exe vssadmin.exe PID 940 wrote to memory of 1168 940 pcrcyge.exe vssadmin.exe PID 940 wrote to memory of 1176 940 pcrcyge.exe pcrcyge.exe PID 940 wrote to memory of 1176 940 pcrcyge.exe pcrcyge.exe PID 940 wrote to memory of 1176 940 pcrcyge.exe pcrcyge.exe PID 940 wrote to memory of 1176 940 pcrcyge.exe pcrcyge.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe"C:\Users\Admin\AppData\Local\Temp\995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:520
-
C:\Windows\system32\taskeng.exetaskeng.exe {88809D1D-C630-4D2A-940E-2A0909C1EEBE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5473b4cb4fffaf0208e15cbe0adc638c6
SHA1268c6faeb56daa16522dfdd1072019927974379b
SHA256d53684187616aad1238494f40d02a7ec1464e385342a83955a5826dbc110d907
SHA512113488c29758311925abd76034937f21a1a27cb2019fd6fdc366e00f75d9e0b57982e7220b5b943a2c09893635ad071f27d6a409dd959300f7e92c772a06c4cd
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5473b4cb4fffaf0208e15cbe0adc638c6
SHA1268c6faeb56daa16522dfdd1072019927974379b
SHA256d53684187616aad1238494f40d02a7ec1464e385342a83955a5826dbc110d907
SHA512113488c29758311925abd76034937f21a1a27cb2019fd6fdc366e00f75d9e0b57982e7220b5b943a2c09893635ad071f27d6a409dd959300f7e92c772a06c4cd
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5915a2b5d6321eb669f608a4aef045a44
SHA1e0007c2a0742774980119cc7df0ed104bc1f8d72
SHA2567249d9971a85d7a11680a6318e69c38f9f8457602c57617b3c01991862203047
SHA512fdbf5b101b1be6269ec561d57e8607977dca35ce9c112e7019413e0098b9cc0c7bf36c2e07cea3fd86c95f5ccd1cb0392b149b8cc9f22b2f1b3eb955ac5cf9fb
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5e0e1b0313aa43795a8beafd64fd1a3f7
SHA14924620bffb61cee1364c9ae2a8e65bc1fd41de7
SHA25644a69c44a1d9c61fbf62ab9752586cd523b3f5fa5fcf8ff4e09870f88226ad1d
SHA5121e2217dd0062af69f9459f3688b602f7b9472e21ffebc6bbbf5a7ccdab061db35f2f50018ad30c1e98a5973dc8293ba98ea3ea535b4bd2bcd463872a50e642a8
-
C:\ProgramData\nydzthc.htmlFilesize
62KB
MD5183d217f7ee43834ea51d2d4ccbc464c
SHA1143e54e98e1f446e6da609b978736cd7c1e76e9f
SHA2560481936c6207455282129fec0120c8e1a9393c4451033956950e8b9f91a57e96
SHA51226966f67f77c2c1c4bf1b6c4d33b6666926c53a8c8cf9863c1ff3403f4d01127e64a132b1670e4249d8a60dc200c3acab0886a373d433343f0d242966bb7a2ae
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD5f24e6374518fa7aed3d24a064a03bd23
SHA1d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD5f24e6374518fa7aed3d24a064a03bd23
SHA1d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD5f24e6374518fa7aed3d24a064a03bd23
SHA1d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
-
memory/520-68-0x0000000000000000-mapping.dmp
-
memory/580-65-0x00000000002B0000-0x0000000000327000-memory.dmpFilesize
476KB
-
memory/580-69-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/580-63-0x00000000002B0000-0x0000000000327000-memory.dmpFilesize
476KB
-
memory/940-62-0x0000000000780000-0x00000000009CB000-memory.dmpFilesize
2.3MB
-
memory/940-58-0x0000000000000000-mapping.dmp
-
memory/1168-75-0x0000000000000000-mapping.dmp
-
memory/1176-76-0x0000000000000000-mapping.dmp
-
memory/1176-80-0x0000000000BE0000-0x0000000000E2B000-memory.dmpFilesize
2.3MB
-
memory/1976-56-0x00000000008A0000-0x0000000000AEB000-memory.dmpFilesize
2.3MB
-
memory/1976-54-0x0000000000680000-0x000000000089A000-memory.dmpFilesize
2.1MB
-
memory/1976-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB