Analysis
-
max time kernel
155s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-11-2022 16:22
General
-
Target
e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
-
Size
820KB
-
MD5
53efb689f9f56262b571f68b11a21839
-
SHA1
0d31c13c910cbb2dd2979a3762a9223aa12eceee
-
SHA256
e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004
-
SHA512
f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b
-
SSDEEP
24576:0tkyyQSspmUheMMyo+g7d9TEE4Zm36B5qbN8:0vSspFeMMDbd1F6BY
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-inlglmn.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-inlglmn.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {32051033-E5A5-49DD-906C-5606686ECC95} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52695c05fb9ba210095b5634212dcdc4d
SHA1c6e97b479efa66aecce662d15175364fe50d804d
SHA25613b83d55a584a585f7cba26b7a9af5bffd4d6a007864adc3cc66bda096d68d73
SHA51239ddf678b56d3098557aa375b1acdadd3b4b0ad4a272151325e012dd98f0453ca81618f0c6bb75983b6c4c5acaf02fb6fb7a0d5a9e3e0259e8ccebb3a704f36b
-
Filesize
654B
MD52695c05fb9ba210095b5634212dcdc4d
SHA1c6e97b479efa66aecce662d15175364fe50d804d
SHA25613b83d55a584a585f7cba26b7a9af5bffd4d6a007864adc3cc66bda096d68d73
SHA51239ddf678b56d3098557aa375b1acdadd3b4b0ad4a272151325e012dd98f0453ca81618f0c6bb75983b6c4c5acaf02fb6fb7a0d5a9e3e0259e8ccebb3a704f36b
-
Filesize
654B
MD5a6f635f0824e78aa8bc0b7af7ddbe5cc
SHA1b7f2e4cedd5917caf2efbe02e7f73f557f28163e
SHA256268a3722afc3c0c2f9f37ba11062a96abf21659c579242aacdcb78ef1357742a
SHA5125e229b4fe18f35cadc21ef815cebc049eeca47a5acac2bb6d70ad7ec308490876f1c37cedee66057901f2e429fd3761be4f5d22d97a5558bea9576c96d201ac4
-
Filesize
654B
MD567cb3db758351be897983a76ff0382bc
SHA14de1f0f5811471c05c2ace941cf2eb1b940a2669
SHA256020bf91da6e993c1b9b9508cdb6746b950f96f77845c30c70e87df8df3f5e822
SHA5124ab76b093958a92bd00d2ac85a02ff6d701822a5ea46c5f9a24b9d0f50e76c0dca72ae1aeb0ec4c88e4703e3cf670970a934ce64fe3cddc791531b50ac7beb9b
-
Filesize
820KB
MD553efb689f9f56262b571f68b11a21839
SHA10d31c13c910cbb2dd2979a3762a9223aa12eceee
SHA256e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004
SHA512f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b
-
Filesize
820KB
MD553efb689f9f56262b571f68b11a21839
SHA10d31c13c910cbb2dd2979a3762a9223aa12eceee
SHA256e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004
SHA512f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b
-
Filesize
820KB
MD553efb689f9f56262b571f68b11a21839
SHA10d31c13c910cbb2dd2979a3762a9223aa12eceee
SHA256e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004
SHA512f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
8KB
-
Filesize
2.3MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
660KB
-
Filesize
660KB
-
Filesize
660KB
-
Filesize
660KB
-
Filesize
2.1MB
-
Filesize
2.3MB