ctblocker | 749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

Analysis

max time kernel
151s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
Size

928KB
MD5

284b37c4771f4dcf91a37348014e04ff
SHA1

211e5aa4cc0451aa252660576fc5c6a1961667fd
SHA256

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913
SHA512

dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568
SSDEEP

24576:+TSkT7/hjVX1uKLGLY27AX1Wh6qC/UxPpXWhi:Evl3LG0h1KZkwPhW

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hsshzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YLZ6O56-AL4MSLE-UHFAEY7-G6VV6GZ-46XDH7W-FVBRSRO-EPQ2H4F-L22NOZI 4M7OHZF-BR5WCMD-EEVE66I-2RATTAF-W3EZJNA-S4PKC3R-A27UEE4-EUQRV5L 3XBV34O-UT5V5OO-QHUJZ5Q-P6ZTFGM-LY3K5RC-UBGRUSJ-3GFC2GG-VUEANF7 Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-hsshzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YLZ6O56-AL4MSLE-UHFAEY7-G6VV6GZ-46XDH7W-FVBRSRO-EPQ2H4F-L22NOZI 4M7OHZF-BR5WCMD-EEVE66I-2RATTAF-W3EZJNA-S4PKC3R-A27UEE4-EUQRV5L 3XBV34O-UT5V5OO-QHUJZ5Q-P6ZTFGM-LY3KPDC-OUGRUSJ-3GFC2GG-VUEQHQI Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

pdfisga.exepdfisga.exepdfisga.exepdfisga.exe

pid process

1488 pdfisga.exe
304 pdfisga.exe
624 pdfisga.exe
2032 pdfisga.exe

pid	process
1488	pdfisga.exe
304	pdfisga.exe
624	pdfisga.exe
2032	pdfisga.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\TestSkip.RAW.hsshzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CompleteCompress.CRW.hsshzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnprotectSave.RAW.hsshzxi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pdfisga.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

pdfisga.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdfisga.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-hsshzxi.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exepdfisga.exepdfisga.exe

description	pid	process	target process
PID 1288 set thread context of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1488 set thread context of 304	1488	pdfisga.exe	pdfisga.exe
PID 624 set thread context of 2032	624	pdfisga.exe	pdfisga.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hsshzxi.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hsshzxi.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1364 vssadmin.exe

pid	process
1364	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

pdfisga.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pdfisga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pdfisga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	pdfisga.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exepdfisga.exe

pid	process
1352	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe
304	pdfisga.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pdfisga.exepdfisga.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	304	pdfisga.exe
Token: SeDebugPrivilege	304	pdfisga.exe
Token: SeDebugPrivilege	624	pdfisga.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pdfisga.exe

pid process

2032 pdfisga.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pdfisga.exe

pid process

2032 pdfisga.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pdfisga.exe

pid process

2032 pdfisga.exe
2032 pdfisga.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
2032	pdfisga.exe

pid	process
2032	pdfisga.exe

pid	process
2032	pdfisga.exe
2032	pdfisga.exe

pid	process
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exetaskeng.exepdfisga.exepdfisga.exesvchost.exepdfisga.exe

description	pid	process	target process
PID 1288 wrote to memory of 1148	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1148	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1148	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1148	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1516	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1516	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1516	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1516	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1288 wrote to memory of 1352	1288	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1756 wrote to memory of 1488	1756	taskeng.exe	pdfisga.exe
PID 1756 wrote to memory of 1488	1756	taskeng.exe	pdfisga.exe
PID 1756 wrote to memory of 1488	1756	taskeng.exe	pdfisga.exe
PID 1756 wrote to memory of 1488	1756	taskeng.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 1488 wrote to memory of 304	1488	pdfisga.exe	pdfisga.exe
PID 304 wrote to memory of 588	304	pdfisga.exe	svchost.exe
PID 588 wrote to memory of 960	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 960	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 960	588	svchost.exe	DllHost.exe
PID 304 wrote to memory of 1200	304	pdfisga.exe	Explorer.EXE
PID 304 wrote to memory of 1364	304	pdfisga.exe	vssadmin.exe
PID 304 wrote to memory of 1364	304	pdfisga.exe	vssadmin.exe
PID 304 wrote to memory of 1364	304	pdfisga.exe	vssadmin.exe
PID 304 wrote to memory of 1364	304	pdfisga.exe	vssadmin.exe
PID 304 wrote to memory of 624	304	pdfisga.exe	pdfisga.exe
PID 304 wrote to memory of 624	304	pdfisga.exe	pdfisga.exe
PID 304 wrote to memory of 624	304	pdfisga.exe	pdfisga.exe
PID 304 wrote to memory of 624	304	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 624 wrote to memory of 2032	624	pdfisga.exe	pdfisga.exe
PID 588 wrote to memory of 1524	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1524	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1524	588	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1200

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
3⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
3⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1524

C:\Windows\system32\taskeng.exe
taskeng.exe {7967A0AF-2A60-405F-A416-3912F4DC4353} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1364

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
26423b840f16bbff1226c40795bffbba

SHA1
08ef5bbbbd9c4114bcce349d62a04b6e0a8c5524

SHA256
ce821f8156ba4a675ba335d0a1100b93a7f2caff4b2f4ab6c9c859954d0e3664

SHA512
610aaa7a2835d6ce6bda0f32989497f21bd6197f49d6d6cbd5d2e95c9bf18ebf53c397263047359777c6efafcb44ffc62095f9e0fe892526570754ec4c8e6603

Download Submit
C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
26423b840f16bbff1226c40795bffbba

SHA1
08ef5bbbbd9c4114bcce349d62a04b6e0a8c5524

SHA256
ce821f8156ba4a675ba335d0a1100b93a7f2caff4b2f4ab6c9c859954d0e3664

SHA512
610aaa7a2835d6ce6bda0f32989497f21bd6197f49d6d6cbd5d2e95c9bf18ebf53c397263047359777c6efafcb44ffc62095f9e0fe892526570754ec4c8e6603

Download Submit
C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
6e76473d741b9353d2228d9949883788

SHA1
a3e7ed658010a46e3b4aca8994583cc7b485805a

SHA256
30aafdee543b6bc9c662d981d298d4ec921660f12a4b0157f1adf9bfcc360620

SHA512
7896e62da1755b4d2d97ab517e7be79d9317ab21edf84cd8922e8105b8243c59ecb90c573d136da4005837121d2ec45ff42ff3860c84d9645772945a5d7465b3

Download Submit
C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
6e76473d741b9353d2228d9949883788

SHA1
a3e7ed658010a46e3b4aca8994583cc7b485805a

SHA256
30aafdee543b6bc9c662d981d298d4ec921660f12a4b0157f1adf9bfcc360620

SHA512
7896e62da1755b4d2d97ab517e7be79d9317ab21edf84cd8922e8105b8243c59ecb90c573d136da4005837121d2ec45ff42ff3860c84d9645772945a5d7465b3

Download Submit
C:\ProgramData\zlwdkgg.html

Filesize
62KB

MD5
e2d49c8f24c6cc2caa8b993b11693d22

SHA1
ef241c90f1775d8827c60e7cfab63db730823468

SHA256
b446a93d9934589a23b35750e72880db956474981363f2f465b0e10628faac8c

SHA512
243d93569201cff8052cd0ce1e9d8e98e90a891466d807f931e157271eb6bfef80cc18e15d09a3425b1f7f6cfbba3a38d92f81caaa2f744e66462d7825fa4afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
memory/304-84-0x00000000008E0000-0x0000000000B2B000-memory.dmp

Filesize
2.3MB

Download
memory/304-77-0x0000000000401FA3-mapping.dmp

Download
memory/588-85-0x0000000000CB0000-0x0000000000D27000-memory.dmp

Filesize
476KB

Download
memory/588-91-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/588-87-0x0000000000CB0000-0x0000000000D27000-memory.dmp

Filesize
476KB

Download
memory/624-109-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/624-98-0x0000000000000000-mapping.dmp

Download
memory/960-90-0x0000000000000000-mapping.dmp

Download
memory/1288-55-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-63-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1352-64-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1352-67-0x0000000000B70000-0x0000000000DBB000-memory.dmp

Filesize
2.3MB

Download
memory/1352-61-0x0000000000401FA3-mapping.dmp

Download
memory/1352-59-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1352-65-0x0000000000950000-0x0000000000B6A000-memory.dmp

Filesize
2.1MB

Download
memory/1352-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1352-56-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1364-97-0x0000000000000000-mapping.dmp

Download
memory/1488-82-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1488-69-0x0000000000000000-mapping.dmp

Download
memory/1524-115-0x0000000000000000-mapping.dmp

Download
memory/2032-113-0x0000000000740000-0x000000000098B000-memory.dmp

Filesize
2.3MB

Download
memory/2032-106-0x0000000000401FA3-mapping.dmp

Download