Analysis
-
max time kernel
159s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-11-2022 17:44
General
-
Target
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
-
Size
920KB
-
MD5
f251200975ae1eb1df4fab9c1b715b77
-
SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
-
SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
-
SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
SSDEEP
24576:kr8/0SLiPVg2ruQFk28H4Z5fYySV7umi36+hn:kry0PV9FDgSG+l
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-glbuhbf.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\ystryfa.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 4 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe"C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exeC:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4740 -ip 47401⤵
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeC:\Users\Admin\AppData\Local\Temp\lkeistk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeC:\Users\Admin\AppData\Local\Temp\lkeistk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe"C:\Users\Admin\AppData\Local\Temp\lkeistk.exe" -u3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeC:\Users\Admin\AppData\Local\Temp\lkeistk.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5076 -ip 50761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 944 -ip 9441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Packages\aznbbebFilesize
654B
MD54732b9a62b326718ddd8914c6611600a
SHA1e5324b2bf0e3df6f6c726001fd60bc6c54f75089
SHA256e0cdfd087a896e72351a708e2e6b16cd778a6785b10439fa1e71e34ec1e5137f
SHA512ca2cdf639cb0893677e2c7f7dac77088b230f31bc161a4c3f61476dcc43bfff571ae842eba42369e1ed948063aa7da1b6b5b3205fb59d1ca5d7ed05fc08c166b
-
C:\ProgramData\Packages\aznbbebFilesize
654B
MD54732b9a62b326718ddd8914c6611600a
SHA1e5324b2bf0e3df6f6c726001fd60bc6c54f75089
SHA256e0cdfd087a896e72351a708e2e6b16cd778a6785b10439fa1e71e34ec1e5137f
SHA512ca2cdf639cb0893677e2c7f7dac77088b230f31bc161a4c3f61476dcc43bfff571ae842eba42369e1ed948063aa7da1b6b5b3205fb59d1ca5d7ed05fc08c166b
-
C:\ProgramData\Packages\aznbbebFilesize
654B
MD5a123bfae61ecb9d2c45b5f3572164ea1
SHA1d67aa91a63568fd02e2035b2f01124c45466235c
SHA256260bdf764208acc103f201c26725657394bbb2791bb7b59f6ed8a7e32aa5bd62
SHA512671b75177a93ea87d98e1f1b705d1dbba7d55062514bcf50b4f8756878e39e8f08d63e80e6040ea6a76f4326a5ced1a98c60139e2ac64599b335c293259d2851
-
C:\ProgramData\Packages\aznbbebFilesize
654B
MD5654ea3c4b5485af2bf834ab6452577f7
SHA1389c6b0de6562260351c59e7f9743e3675d6f29f
SHA256af7dffb3a7882472a5dcee6e35b9ed731c632b9e1a654a34e78e28f70ba64205
SHA51291d394604f8373818beb3806e1e57e772e4ab5e4dc6e95e2d45fbdf753559fb6fab836e37061965203321f2793919ed456536969df62cdd8a551331b2922774c
-
C:\ProgramData\Packages\aznbbebFilesize
654B
MD5af217f6ba93bc620377b8623b89c8a10
SHA18484b30e08b4647b7ae11907871a9acebba9eaa8
SHA25653f07108ec261acb7fb09d03b8b4dc172868d117e6b8dd743f3d5246792ebb41
SHA5121b39f6638a3d6e94f303232f37d1e3260882930ad6f6e32874c7eb9260311d0f103735c016e391373d5451c74fba260524361621914e31707d80f2087148f65c
-
C:\ProgramData\ystryfa.htmlFilesize
226KB
MD5706f64ebfea3538efa69a79790eba6ee
SHA1b1c90082e9ecfa3331df16c421af036365d94bd7
SHA2560575860676c8edecba36afddc2c931c2ccdbafd9d69ff20b28b28900851ea066
SHA512b52e248eaed86a7c0df42a7f3d141353016c7bb97efda9bbcca70177df4f61e8e63af9cdb1b7c4a29a8889c35fc6758067a9fa509a5a9c7edf4ce5817d846b53
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Local\Temp\lkeistk.exeFilesize
920KB
MD5f251200975ae1eb1df4fab9c1b715b77
SHA1d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA25674c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA51238717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.glbuhbfFilesize
36KB
MD563821c3486c7dfcf2440913bbe7b9fb0
SHA1746c84144ab968330b84b32fdacb0b1ec654a99f
SHA2567fd72ae38ac295fe43cc0c9ea65b697b12226430b42b307070c298aa8adb61b7
SHA51225124d6d3de075695b61ca7035b985f6afb7fb6ffdc9b4f9854d60489bd4d252bfca78f4f2c1555c097668c4975d2061c3c9d389ba6564000ecb50dad6eeff09
-
memory/780-146-0x0000000039500000-0x0000000039577000-memory.dmpFilesize
476KB
-
memory/944-156-0x0000000000000000-mapping.dmp
-
memory/3160-149-0x0000000000000000-mapping.dmp
-
memory/3656-154-0x0000000000000000-mapping.dmp
-
memory/3920-132-0x0000000000000000-mapping.dmp
-
memory/3920-135-0x0000000000760000-0x000000000097A000-memory.dmpFilesize
2.1MB
-
memory/3920-136-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/3920-137-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/3920-133-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/4208-158-0x0000000000000000-mapping.dmp
-
memory/4208-163-0x0000000000A30000-0x0000000000C7B000-memory.dmpFilesize
2.3MB
-
memory/4312-140-0x0000000000000000-mapping.dmp
-
memory/4312-145-0x00000000009D0000-0x0000000000C1B000-memory.dmpFilesize
2.3MB
