Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-11-2022 16:22
General
-
Target
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
-
Size
654KB
-
MD5
9cd4cebf8b04cd6864b59e4c0cf4aafa
-
SHA1
2287faa3026c5981f3796268112998ac1c06c5d3
-
SHA256
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7
-
SHA512
03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d
-
SSDEEP
12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-otdblmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-otdblmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe"C:\Users\Admin\AppData\Local\Temp\748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {8002E135-FD15-43EE-BE4B-0B5F9CF1A386} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD59532089cb290ea11677b6ead4f7336e5
SHA17be5e6b65c923f1fab88fbc17e1225b15c50239f
SHA256a589bd6ad29b242a90fc945c06fd44ff4cec87ac9afad58928377aef380741ef
SHA512108ad29fc0099988e3ebdc8a06e442ad673580f502c768e6121c0b81ce68b340639d9f090fec683f6712944b3e744c71b4b39ab89f49bb3548c0d029725331e0
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD59532089cb290ea11677b6ead4f7336e5
SHA17be5e6b65c923f1fab88fbc17e1225b15c50239f
SHA256a589bd6ad29b242a90fc945c06fd44ff4cec87ac9afad58928377aef380741ef
SHA512108ad29fc0099988e3ebdc8a06e442ad673580f502c768e6121c0b81ce68b340639d9f090fec683f6712944b3e744c71b4b39ab89f49bb3548c0d029725331e0
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD5d1fafd2a431314b1efd09a1d30c2b117
SHA1d50961d62785e06fc4eb360ccee0d6d5ed50e87b
SHA256551eea0f367f34607c3550a3501d965ae2a98163541bd474ab1bbf64a6669058
SHA5120c66f4f23dccb7ca09e12e40d6d25a2f7c54e4aa92f9bea9fc44c54c109f5d1ef75751202fa5c8679d37994e84b38dbfdb092d5bd04f575218fe6baa828be33c
-
C:\ProgramData\Microsoft\aubdarbFilesize
654B
MD52375cf93c2cd01b42dc1bad65d319cf0
SHA103e3f97ed34e6a6037cdc8a33b471009e6fb005a
SHA256933f8d6accced00fb42cb9449ded08867c076da16d185c5dc5fe6233a329cb34
SHA512205ddf2b2a7f44f10068688028a237a8b8d1bd44106b52b332002c68dbe5b1b898833f84d7f1960a1ede73aafd7351a4a725bd76cd7c7e4d74559bc176a06ac7
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD59cd4cebf8b04cd6864b59e4c0cf4aafa
SHA12287faa3026c5981f3796268112998ac1c06c5d3
SHA256748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7
SHA51203ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD59cd4cebf8b04cd6864b59e4c0cf4aafa
SHA12287faa3026c5981f3796268112998ac1c06c5d3
SHA256748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7
SHA51203ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
654KB
MD59cd4cebf8b04cd6864b59e4c0cf4aafa
SHA12287faa3026c5981f3796268112998ac1c06c5d3
SHA256748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7
SHA51203ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d
-
memory/592-69-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmpFilesize
8KB
-
memory/592-65-0x0000000000110000-0x0000000000187000-memory.dmpFilesize
476KB
-
memory/592-63-0x0000000000110000-0x0000000000187000-memory.dmpFilesize
476KB
-
memory/664-75-0x0000000000000000-mapping.dmp
-
memory/1276-68-0x0000000000000000-mapping.dmp
-
memory/1480-62-0x00000000007A0000-0x00000000009EB000-memory.dmpFilesize
2.3MB
-
memory/1480-58-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x0000000000950000-0x0000000000B6A000-memory.dmpFilesize
2.1MB
-
memory/1504-56-0x0000000000B70000-0x0000000000DBB000-memory.dmpFilesize
2.3MB
-
memory/1504-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1620-76-0x0000000000000000-mapping.dmp
-
memory/1620-80-0x0000000000880000-0x0000000000ACB000-memory.dmpFilesize
2.3MB