Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-11-2022 17:44
General
-
Target
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
-
Size
920KB
-
MD5
f251200975ae1eb1df4fab9c1b715b77
-
SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
-
SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
-
SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
SSDEEP
24576:kr8/0SLiPVg2ruQFk28H4Z5fYySV7umi36+hn:kry0PV9FDgSG+l
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ezadlmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-ezadlmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\nydzthc.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe"C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exeC:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {FCE5563C-808B-4F1A-8823-9F10B3F876EA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD51b4637b5bbb51c4abd560e1535d22278
SHA1ac39b45b9cf8d101552a83d962f86180f4dd12e7
SHA256665b40f10f856d40ea1b921ce408eb4279f8759fb1d5bd57c64c3d3bd8f96dda
SHA5121f6ed835293cb73dae096e826839201fc9402676da4faab1b1c9e15d09278ffb0b2806d1348bfbefcf8f35a6d494ae863e3a22b0504cc66a53bb251095e437b8
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD51b4637b5bbb51c4abd560e1535d22278
SHA1ac39b45b9cf8d101552a83d962f86180f4dd12e7
SHA256665b40f10f856d40ea1b921ce408eb4279f8759fb1d5bd57c64c3d3bd8f96dda
SHA5121f6ed835293cb73dae096e826839201fc9402676da4faab1b1c9e15d09278ffb0b2806d1348bfbefcf8f35a6d494ae863e3a22b0504cc66a53bb251095e437b8
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD53bef66e14ecd3b183c11a637e4340238
SHA146b25b25b91f40d05bce74e33e676838d8ecf12c
SHA25666fbd0e6cc36b06797c72d80fbf19835018c2bb6847d0d9edbb7143bef72102b
SHA512c5ddb8cff273f447e5d1685e2f9e57d15fb05822f4cc9ac3e8be857a2bfc1f57fc58ed953b5a4fdfa5f3633d5fee14aef4a64bccd18609b3e02cd13f8639b60e
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD54be1d463d47648803a41f55202d200cf
SHA103efe28f6d8d5efd2ccf1504944b458a8dec42ee
SHA2564c2e56d37a45f5525f533a1624d417254c4614f816998f6cc30e1dc34a3b955d
SHA5122d37a858516bb12b3038eccd95889fab3d8fa4f1e6d54e5853c034225198e5278cef2afd6fc844015120664e330eedbc4c7a8798d4f6f19335c4464c27320a22
-
C:\ProgramData\nydzthc.htmlFilesize
62KB
MD55c1b451558de6e8549be82d687f133c5
SHA1a3a8e1bf277492c21695a5f6d35334d37e5aa1ac
SHA2568e3a45e2e9027ccf2a908d7cdb6b0bb3645c3c65950ab6f39841231103fac1d4
SHA512905e4078103bd06cbe5f436bef9362d0e3805ccf2649ceab33ffece7de27e03ef433e6e6fac743750f9b54aa48202cb4e8d73bd6c5ff58e480cfe2aa42aaaf38
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
memory/588-71-0x0000000000440000-0x00000000004B7000-memory.dmpFilesize
476KB
-
memory/588-73-0x0000000000440000-0x00000000004B7000-memory.dmpFilesize
476KB
-
memory/588-76-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/600-65-0x0000000000401FA3-mapping.dmp
-
memory/600-70-0x00000000006D0000-0x000000000091B000-memory.dmpFilesize
2.3MB
-
memory/864-87-0x0000000000401FA3-mapping.dmp
-
memory/864-92-0x0000000000C10000-0x0000000000E5B000-memory.dmpFilesize
2.3MB
-
memory/944-62-0x0000000000000000-mapping.dmp
-
memory/1092-83-0x0000000000000000-mapping.dmp
-
memory/1176-77-0x0000000000000000-mapping.dmp
-
memory/1648-94-0x0000000000000000-mapping.dmp
-
memory/1728-54-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1728-60-0x0000000000950000-0x0000000000B9B000-memory.dmpFilesize
2.3MB
-
memory/1728-59-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1728-58-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/1728-57-0x0000000000730000-0x000000000094A000-memory.dmpFilesize
2.1MB
-
memory/1728-55-0x0000000000401FA3-mapping.dmp
-
memory/1908-84-0x0000000000000000-mapping.dmp