ctblocker | cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

Analysis

max time kernel
170s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
Size

802KB
MD5

102c9d8d99c9f453053d1f49620df11f
SHA1

47ab2f2f660832e3a38f6dee882431a5a2404729
SHA256

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27
SHA512

adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e
SSDEEP

12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-gkbiicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OEPEG4O-4HZIGZQ-QJS3R7W-PMHGQY7-YEHARX4-V6O6JSB-KSVIPTP-PEMNULO KKK2XVA-NVDVBAO-KLNVVY6-PQEC4ZN-N5CEVSM-SJWAIFI-Y4VT3AG-A53T7JQ JK237ZR-LSIYTYK-47ZSLIH-27JUMKK-2MIXMKL-JAN7FNP-QCYZAX7-DUWY4VL Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-gkbiicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OEPEG4O-4HZIGZQ-QJS3R7W-PMHGQY7-YEHARX4-V6O6JSB-KSVIPTP-PEMNULO KKK2XVA-NVDVBAO-KLNVVY6-PQEC4ZN-N5CEVSM-SJWAIFI-Y4VT3AG-A53T7JQ JK237ZR-LSIYTYK-47ZSLIH-27JUMKK-2MIX64L-FXN7FNP-QCYZAX7-DUWYOVY Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

gejzibk.exegejzibk.exe

pid process

1936 gejzibk.exe
756 gejzibk.exe

pid	process
1936	gejzibk.exe
756	gejzibk.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DenyAssert.CRW.gkbiicl	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExpandImport.CRW.gkbiicl	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MergeReset.CRW.gkbiicl	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CopyCheckpoint.RAW.gkbiicl	svchost.exe

Loads dropped DLL 10 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exegejzibk.exegejzibk.exe

pid	process
1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
1936	gejzibk.exe
1936	gejzibk.exe
1936	gejzibk.exe
1936	gejzibk.exe
1936	gejzibk.exe
756	gejzibk.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

gejzibk.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\READ-ME-FIRST.txt gejzibk.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\READ-ME-FIRST.txt	gejzibk.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-gkbiicl.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exegejzibk.exe

description	pid	process	target process
PID 1076 set thread context of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1936 set thread context of 756	1936	gejzibk.exe	gejzibk.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-gkbiicl.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-gkbiicl.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\gejzibk.exe	nsis_installer_2

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

588 vssadmin.exe

pid	process
588	vssadmin.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061006200650065003700340034002d0031006100380032002d0031003100650064002d0038003200390030002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}	svchost.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exegejzibk.exe

pid	process
1520	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe
756	gejzibk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gejzibk.exe

description pid process

Token: SeDebugPrivilege 756 gejzibk.exe
Token: SeDebugPrivilege 756 gejzibk.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	756	gejzibk.exe
Token: SeDebugPrivilege	756	gejzibk.exe

pid	process
1296	Explorer.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exetaskeng.exegejzibk.exegejzibk.exesvchost.exe

description	pid	process	target process
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1076 wrote to memory of 1520	1076	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1768 wrote to memory of 1936	1768	taskeng.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 1936 wrote to memory of 756	1936	gejzibk.exe	gejzibk.exe
PID 756 wrote to memory of 576	756	gejzibk.exe	svchost.exe
PID 756 wrote to memory of 1296	756	gejzibk.exe	Explorer.EXE
PID 576 wrote to memory of 384	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 384	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 384	576	svchost.exe	DllHost.exe
PID 756 wrote to memory of 588	756	gejzibk.exe	vssadmin.exe
PID 756 wrote to memory of 588	756	gejzibk.exe	vssadmin.exe
PID 756 wrote to memory of 588	756	gejzibk.exe	vssadmin.exe
PID 756 wrote to memory of 588	756	gejzibk.exe	vssadmin.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
PID:1296

C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
"C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
"C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:384

C:\Windows\system32\taskeng.exe
taskeng.exe {4D05BECB-61AA-408F-9573-C943A26D1F9F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
"C:\Users\Admin\AppData\Local\Temp\gejzibk.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:588

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
"C:\Users\Admin\AppData\Local\Temp\gejzibk.exe" -u
4⤵
PID:960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\qrsyusl
Filesize
654B

MD5
8e16f5c2211bad228e71f0c63f1311eb

SHA1
22796afa38e5501d07538ae4ee9c4edbb25d4144

SHA256
42e3d4a70df1882d3f0947228e34c37d8b44de881eb7a86b6581de6136837ccd

SHA512
2bec778f818083991b31cbe83c1032700b911084e88bf8d440d50b3ebbfdde034b8d0e2d0da985a765f49f418671944e90b093b82f1dcb4d71b9606f345f8914

Download Submit
C:\ProgramData\Adobe\qrsyusl
Filesize
654B

MD5
8e16f5c2211bad228e71f0c63f1311eb

SHA1
22796afa38e5501d07538ae4ee9c4edbb25d4144

SHA256
42e3d4a70df1882d3f0947228e34c37d8b44de881eb7a86b6581de6136837ccd

SHA512
2bec778f818083991b31cbe83c1032700b911084e88bf8d440d50b3ebbfdde034b8d0e2d0da985a765f49f418671944e90b093b82f1dcb4d71b9606f345f8914

Download Submit
C:\ProgramData\Adobe\qrsyusl
Filesize
654B

MD5
cc191e0b1acb113e62ccd814c0dcc4c5

SHA1
1531d15991a39b45d498533403ce5f92f72514a1

SHA256
c08be256ce2bd417f9f7f7de35c56ac696b0b850cb8c58887b97bf163a946fd9

SHA512
d49c52920d615cdbb8824da35e84daa968f887e48445e1672ee7f2bea0872400e6bba7eef97fd478ed8f44ceebd6ff9e7b5062f8578580584ddf64d2841b44ac

Download Submit
C:\ProgramData\Adobe\qrsyusl
Filesize
654B

MD5
4fd35ac8fd4dd495940e51809f8fbb6d

SHA1
96923d436cbda0ecb64decb4ca41921ca20f48d6

SHA256
b7105ac270da4cb8ea70a2e75f37010779f70cc050aefddc3bb6f69275db82b0

SHA512
a95dd141b5b13a6edd693c1e7760115c781ea6bcead1406342de51f0f39273d5ead5653d51caac9dcf35f965a120264d56da7a5c75ec88fae330344cd09de719

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
C:\Users\Admin\AppData\Roaming\READ-ME-FIRST.TXT
Filesize
654KB

MD5
344689f5946142895cc657fb63041440

SHA1
b59c03f39c9dca8ce57dc505d155b54ab0571166

SHA256
73d6024f6026b7bc77010a5a957e70910ecce31fddc9f09bf2d5d3256f0c0a1c

SHA512
0796f9f3c91938d386bd2cb7d251535e71a8f3ef345cb9d4dba5dd3115a03321692b768e9f7010f76268ca9e5939f83ffbad106d5928a08af8f3f9bfd7862975

Download Submit
C:\Users\Admin\Desktop\ConvertFromMount.JPEG.gkbiicl
Filesize
376KB

MD5
d34f8e8ae63a9d3065f22c6b999a6f4d

SHA1
babea9b69fe51126aa7b0f2c5d9beff1d5c7deaa

SHA256
35029b0bfb0e9381859d331f1fbe309f550b515d0f7da6f6210463f97d28c317

SHA512
46ec8d4f405c12159fe58e826800442906cd11c3d5937a089a4edfa40b24a9bf0eac2e5b4bc0559dde33102eef750ffb60fa10c1afa312140114c54c730be3a9

Download Submit
C:\Users\Admin\Desktop\DisableBackup.ODS.gkbiicl
Filesize
392KB

MD5
30ad54b3157b7853fdbecf4884350f27

SHA1
a639a330c1b1e939368e97391fe834946337a18c

SHA256
5a6bde78f7099becee982e42fd89d596ed85294c7d1845da457b698efe3bbb18

SHA512
c76fbaea01bdca15438d9387c3031ffa80efaf3a99a6279c7b2df4f9c3a01ac1422e9403798223a4f8c81b167e4b65fc4d2f74d0ab37c026b5a459ff279cb13d

Download Submit
C:\Users\Admin\Desktop\PublishPing.PPTX.gkbiicl
Filesize
533KB

MD5
aaaa2621cc87fa53bcfccbc25f4cc132

SHA1
fd5dbe89aa73ff1310cfc1d5d7f4d9f0e375add6

SHA256
4fd2d02f77d9b64a25d40d211dc9362983c4d2693d1c2d9b47f3d3a7e43f2e8f

SHA512
e170bfe9654d32f2441801e621680885249b9cc51e9703f9531bcd2df440fde5c05ffd68871ad1a7f9f080e60ffb125b06b969c4f3596a72be28318488c53f08

Download Submit
C:\Users\Admin\Desktop\SkipRegister.ODS.gkbiicl
Filesize
580KB

MD5
9e0cd15aa0004d35472169b46fbd4aac

SHA1
821b9d13078fc61121b99a6ab14eaf2b53f0af11

SHA256
697984d0b15edc46edb35620aa2f0fc34210c6c708b43ef23d1931a6c748b307

SHA512
df48cfb30728350fc45f181e420aa029bea3611f4db43d4874565ff72a8575c7e741f8ba3e94b6e4b4ed4dfb8e527ca30d80ffe625478aed84ffcb2e4fa14bb1

Download Submit
\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
176KB

MD5
a9417cf53ed65a5626b4cf14cc3d395c

SHA1
596d9fdeb0f301ac213249be4e45f0990b528074

SHA256
345af4449c61d7af304c229ecee267c3caff4e3c7507ae328a34a7dce1c68598

SHA512
d8eae8b2b5cab3baef15c7cbb51ad473bdca7a91182af82b9f4acbb886a4dcec493c7a4ddfbb463542827c248d65bec8809fdef41e880c796b15b14322a2a574

Download Submit
\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
\Users\Admin\AppData\Local\Temp\nso6220.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nso6220.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nso6220.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nso6220.tmp\coelenterates.dll
Filesize
382KB

MD5
f2ce2e755d4f18546550ae4a7f2a6626

SHA1
2d4c874c00dc8006a75bd8e700d77952a08d101f

SHA256
aa237a70b8b8c08f00bb26fa5c9529b2a41e20222c18d40244459baad2fed3c7

SHA512
5cb452aaf18ee58bb49fd03581c58f8edd5d9c9c087f95b29638069c6fa5ea08999fc29bee8c95d3f346e979a9fa42f59a01e41f1019c5ea58725ef2567e9855

Download Submit
\Windows\Temp\nsy8826.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Windows\Temp\nsy8826.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Windows\Temp\nsy8826.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Windows\Temp\nsy8826.tmp\coelenterates.dll
Filesize
382KB

MD5
f2ce2e755d4f18546550ae4a7f2a6626

SHA1
2d4c874c00dc8006a75bd8e700d77952a08d101f

SHA256
aa237a70b8b8c08f00bb26fa5c9529b2a41e20222c18d40244459baad2fed3c7

SHA512
5cb452aaf18ee58bb49fd03581c58f8edd5d9c9c087f95b29638069c6fa5ea08999fc29bee8c95d3f346e979a9fa42f59a01e41f1019c5ea58725ef2567e9855

Download Submit
memory/384-104-0x0000000000000000-mapping.dmp

Download
memory/576-88-0x0000000001180000-0x00000000011F7000-memory.dmp

Filesize
476KB

Download
memory/576-90-0x0000000001180000-0x00000000011F7000-memory.dmp

Filesize
476KB

Download
memory/576-94-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/588-105-0x0000000000000000-mapping.dmp

Download
memory/756-87-0x0000000000880000-0x0000000000ACB000-memory.dmp

Filesize
2.3MB

Download
memory/756-82-0x0000000000401FA3-mapping.dmp

Download
memory/1076-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1520-67-0x0000000000840000-0x0000000000A8B000-memory.dmp

Filesize
2.3MB

Download
memory/1520-65-0x0000000000620000-0x000000000083A000-memory.dmp

Filesize
2.1MB

Download
memory/1520-63-0x0000000000401FA3-mapping.dmp

Download
memory/1520-62-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1520-60-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1520-68-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/1520-59-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1936-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads