Overview

overview

10

Static

static

b35793f080...0a.exe

windows7-x64

5

b35793f080...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a.exe

  • Size

    815KB

  • MD5

    51ed7e8e341c08280b7a0217f7c39a3f

  • SHA1

    079ad2df4a1db02c4170b7d44aaa189f16194fa1

  • SHA256

    b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

  • SHA512

    13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

  • SSDEEP

    24576:coZle5i/xmrxgxh6UAkNe7bBmGC5MN8XL:dg9yG4Gen

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-brkqcsi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. AQCDYTZ-57BI5FG-EGWPADW-GRE3OU6-2TOEQWA-ZGKOGD2-5EKGXKK-RFEIYRU K4IIXQK-HSX3FUW-J4PQ6XV-DDKUHXN-5IRI4CO-6SSP5Q5-FPW5EQI-IJMIK5I AUC4OG4-H34FEV6-67IKE5U-PR5QOFL-ZTVZMIX-CIQE3IA-PZUNUUS-2L7TZQS Follow the instructions on the server.
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://onja764ig6vah2jo.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\System32\mousocoreworker.exe
      C:\Windows\System32\mousocoreworker.exe -Embedding
      2⤵
        PID:2264
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:3344
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Sets desktop wallpaper using registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
        • C:\Users\Admin\AppData\Local\Temp\b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a.exe
          "C:\Users\Admin\AppData\Local\Temp\b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Users\Admin\AppData\Local\Temp\b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a.exe
            "C:\Users\Admin\AppData\Local\Temp\b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4812
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
          C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
            "C:\Users\Admin\AppData\Local\Temp\dajjvan.exe" -u
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3876
            • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
              "C:\Users\Admin\AppData\Local\Temp\dajjvan.exe" -u
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Drops file in System32 directory
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:4840

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft OneDrive\akatxdg
        Filesize

        654B

        MD5

        438fbd458985c7da8eb501b3162cd7b5

        SHA1

        8f2e29b99c2930ac1db67ed67c607342a025f11b

        SHA256

        a653a6ecf1a8f6b669cc430fc229795e992ebdbf751e42f43d4cb04450ddb610

        SHA512

        862f476e56bd813b0605e0ad1b824d2c1b37d10a35acadf01fc7efb8f0b0d40d4a8af4e05874d51798ae6b10cd50bea1afd37ee8c147b3c695518face382e5cd

        Download Submit
      • C:\ProgramData\Microsoft OneDrive\akatxdg
        Filesize

        654B

        MD5

        438fbd458985c7da8eb501b3162cd7b5

        SHA1

        8f2e29b99c2930ac1db67ed67c607342a025f11b

        SHA256

        a653a6ecf1a8f6b669cc430fc229795e992ebdbf751e42f43d4cb04450ddb610

        SHA512

        862f476e56bd813b0605e0ad1b824d2c1b37d10a35acadf01fc7efb8f0b0d40d4a8af4e05874d51798ae6b10cd50bea1afd37ee8c147b3c695518face382e5cd

        Download Submit
      • C:\ProgramData\Microsoft OneDrive\akatxdg
        Filesize

        654B

        MD5

        cc4ed838fa7a46c34428632e6f168f6d

        SHA1

        f248113f2836767e86f56a0d21e592b592c91df7

        SHA256

        66b5fc436be5ce913c21f3e0c4d50332b6e721299929748bf175cd266b0d6a1d

        SHA512

        7d2986606d738c23d76462837383b87f51b137aa59606b9f6d7a8b3c62a45c7a24ed1eb8d97fad6e2a6aca0c6a4e90401d7b606dc9ea1c7378418137435ed013

        Download Submit
      • C:\ProgramData\Microsoft OneDrive\akatxdg
        Filesize

        654B

        MD5

        9900252d87369ad6c08696e01e383159

        SHA1

        d875dc52da43ce5f31b84912d713da671bc7dda6

        SHA256

        e67552b2fd42fae67d7de039c62d172e7411d219d7dc0b580c6b0b298b4ed43f

        SHA512

        ebe20e92ca856b88781c6044c3c0650f18d9760a46d9c1a9e0a7cd6919fa3230b14f5e227e2c35d87cd7724e17aaccf06b0441e75201ae715fbd1f3281b27a03

        Download Submit
      • C:\ProgramData\Microsoft OneDrive\akatxdg
        Filesize

        654B

        MD5

        9900252d87369ad6c08696e01e383159

        SHA1

        d875dc52da43ce5f31b84912d713da671bc7dda6

        SHA256

        e67552b2fd42fae67d7de039c62d172e7411d219d7dc0b580c6b0b298b4ed43f

        SHA512

        ebe20e92ca856b88781c6044c3c0650f18d9760a46d9c1a9e0a7cd6919fa3230b14f5e227e2c35d87cd7724e17aaccf06b0441e75201ae715fbd1f3281b27a03

        Download Submit
      • C:\ProgramData\yrnkowk.html
        Filesize

        225KB

        MD5

        a3310c0288de46f755b3e07885327396

        SHA1

        08b2a92416fa452cf918211b3100023d07b88da4

        SHA256

        5abde51ecb61a099a3209236f7c4ac505540cf4eb03cb7db20d2589aa2343cf4

        SHA512

        3e48e4c3a36aa390871589fb983e58eac434e164cf930850d4a2b3184e55775f38d7a15e9de3217b40c47f5e99c7eb725367d7d3b5dd9f3fa7198b9f0cf45e28

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        815KB

        MD5

        51ed7e8e341c08280b7a0217f7c39a3f

        SHA1

        079ad2df4a1db02c4170b7d44aaa189f16194fa1

        SHA256

        b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

        SHA512

        13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        815KB

        MD5

        51ed7e8e341c08280b7a0217f7c39a3f

        SHA1

        079ad2df4a1db02c4170b7d44aaa189f16194fa1

        SHA256

        b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

        SHA512

        13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        815KB

        MD5

        51ed7e8e341c08280b7a0217f7c39a3f

        SHA1

        079ad2df4a1db02c4170b7d44aaa189f16194fa1

        SHA256

        b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

        SHA512

        13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        815KB

        MD5

        51ed7e8e341c08280b7a0217f7c39a3f

        SHA1

        079ad2df4a1db02c4170b7d44aaa189f16194fa1

        SHA256

        b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

        SHA512

        13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
        Filesize

        815KB

        MD5

        51ed7e8e341c08280b7a0217f7c39a3f

        SHA1

        079ad2df4a1db02c4170b7d44aaa189f16194fa1

        SHA256

        b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

        SHA512

        13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.brkqcsi
        Filesize

        36KB

        MD5

        365ddada87d4ccf9456141b0e0cc9756

        SHA1

        623875fbbb4c42d3a68d4cd5cd41a3712614139a

        SHA256

        4db0418c14ae7712a28d60f0a5cdf0286e1b5110e1d32ffdda24a2f499c385ab

        SHA512

        8ba92268bed8691fc86ff1506af8d672f1fa04d4be5f6db589b9d68a6f717bd05e97b70c3724d0eeb9943c51f357590e13a45b953abcfcba96b17d2b99c82e67

        Download Submit
      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dajjvan.exe.log
        Filesize

        397B

        MD5

        ce4eda6d244da60119efce9ff9131f1d

        SHA1

        534bbbf5eb3096d685a46562793497f404b316cc

        SHA256

        9e49b79135cf5b7c732e862973bb5fb37ddd68a8c7f7cd4c45d70a2e8de54c41

        SHA512

        3e9de662a7d015a6e6651d1b8b40ab67b0ac34b15a7e7842590cf81a64edbc9ae64daecd8ff45096fe751ea7cf4d1f847ba11bf87484c66938e8b81f40dd2e95

        Download Submit
      • memory/780-148-0x0000000024380000-0x00000000243F7000-memory.dmp
        Filesize

        476KB

        Download
      • memory/1192-147-0x0000000001960000-0x0000000001BAB000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/1192-141-0x0000000000000000-mapping.dmp
        Download
      • memory/1616-132-0x0000000075310000-0x00000000758C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1616-137-0x0000000075310000-0x00000000758C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2264-151-0x0000000000000000-mapping.dmp
        Download
      • memory/3344-153-0x0000000000000000-mapping.dmp
        Download
      • memory/3876-163-0x0000000074770000-0x0000000074D21000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3876-158-0x0000000000000000-mapping.dmp
        Download
      • memory/4812-138-0x00000000017E0000-0x0000000001A2B000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/4812-134-0x0000000000400000-0x00000000004A5000-memory.dmp
        Filesize

        660KB

        Download
      • memory/4812-135-0x0000000000400000-0x00000000004A5000-memory.dmp
        Filesize

        660KB

        Download
      • memory/4812-136-0x00000000015C0000-0x00000000017DA000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/4812-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4840-161-0x0000000000000000-mapping.dmp
        Download
      • memory/4840-167-0x0000000001180000-0x00000000013CB000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/4860-146-0x0000000074780000-0x0000000074D31000-memory.dmp
        Filesize

        5.7MB

        Download