Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
28-11-2022 17:23
General
-
Target
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe
-
Size
954KB
-
MD5
856cefc0c0bbe54ac88d71135c3437df
-
SHA1
a3175ff2386fb6a266743fba99e72549b5281d62
-
SHA256
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
-
SHA512
17d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
SSDEEP
24576:pWt9iMnSn9wESmhYJBg3CztbeNr5X4GOL8:Ut9iMnSn9wE8JqYtaNr5XsY
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-abrgzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-abrgzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe"C:\Users\Admin\AppData\Local\Temp\d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe"C:\Users\Admin\AppData\Local\Temp/d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {6BA5B8A4-ED58-4357-8B16-308408FF3003} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe"C:\Users\Admin\AppData\Local\Temp/pdfisga.EXe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe"C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe"C:\Users\Admin\AppData\Local\Temp/pdfisga.EXe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD59e399d5697fb2819c1662036024749d8
SHA112def11533993fab9e894039c9bc92d79e1620f8
SHA25696ffd334aa66366b7bc393fdb538261574c7c488b89d7a445a203f31dfb5870a
SHA512313136ffcdd1c1fbbd17664439acb9967785be2630926ce516036eba9dcb0d968ae39a397fa81b0e3f76d5c1be2127b8f80b194783d02a1542b2abc22ccfe06d
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD5a42183c956fd1e97ff781903ffb2a187
SHA1c44398228c866b9141d37a494efd72b8a5b8fbd3
SHA256239d453a7600d593bd484986887b817a983d4fdc7b08a6ad1b03fab6499bbad6
SHA51270b5e07536831b4abd176e4e8dc45f4cde6dae316ac411355f72444063c6e0c87f61090115f0ff1febd32705637dd4c0421750f2ef894bbda5d532ed1e205165
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD5280833d8f3d449546280b23f61529182
SHA1cb07eaf80710b1dba828dddae2d0de4a9e350c20
SHA2567c5babb11343d46eff1b34c5de6ae3fc7b6576590dd60393cbeee377b8f85bfe
SHA51284417cc9572d76100c74b52ae97e486ce2c27baa4fc3224d73735e922bf7b1050f620444ae2f778ff44779cd81611b4894849dd6b972b74e6e48d3205380ba63
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD57373315d28635fe40fcd87fe07e65043
SHA10286caecba99492776b019133f8158b8fc340316
SHA256f7921d126aceb0a271ea7bf74051edf3016d43264f03392ec993e37fb0007a66
SHA512de22618f49a73b0f4794f25e917af0af5b467c4d933c26d215f7af84de21effb9dec3306fbb6860f0f93080421f1c1d0625257d95ac273d86c46fc86e32e01a7
-
C:\ProgramData\zlwdkgg.htmlFilesize
62KB
MD5eaafd5ad96c6ada32099a7cfb15f1e3d
SHA1c01e035b9c9cf7a5c14cb00d372b445e9f44b6d9
SHA25610878f586a5d4779b3f5f0be95a88da81b0775532cf8be9cd3fa3e3f17fa1bb4
SHA512b74d01281125a2599b645fd80457594c6c9d317f4c50ca47adda76ae6e9b2b2d8224bd56e7717642acd84970282da69bb09c4e2f77232532b05f402e06fec361
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
memory/592-91-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/592-87-0x00000000003E0000-0x0000000000457000-memory.dmpFilesize
476KB
-
memory/592-85-0x00000000003E0000-0x0000000000457000-memory.dmpFilesize
476KB
-
memory/744-90-0x0000000000000000-mapping.dmp
-
memory/948-67-0x00000000008E0000-0x0000000000B2B000-memory.dmpFilesize
2.3MB
-
memory/948-56-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/948-57-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/948-64-0x00000000006C0000-0x00000000008DA000-memory.dmpFilesize
2.1MB
-
memory/948-61-0x0000000000401FA3-mapping.dmp
-
memory/948-66-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/948-68-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/948-60-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1048-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1048-62-0x00000000029F0000-0x0000000002A3C000-memory.dmpFilesize
304KB
-
memory/1048-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1184-98-0x0000000000000000-mapping.dmp
-
memory/1184-108-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1464-84-0x00000000006D0000-0x000000000091B000-memory.dmpFilesize
2.3MB
-
memory/1464-78-0x0000000000401FA3-mapping.dmp
-
memory/1924-97-0x0000000000000000-mapping.dmp
-
memory/1952-114-0x0000000000000000-mapping.dmp
-
memory/2020-79-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2020-70-0x0000000000000000-mapping.dmp
-
memory/2032-106-0x0000000000401FA3-mapping.dmp