Overview

overview

10

Static

static

2419cf3833...72.exe

windows7-x64

10

2419cf3833...72.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    218s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe

  • Size

    692KB

  • MD5

    eef1051839abf0ad0cbe49488617672f

  • SHA1

    d8d42dc918225d20b3388a056fe503f4d5524074

  • SHA256

    2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

  • SHA512

    a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

  • SSDEEP

    12288:VQiHYh6UeeLrQp0/XoU8bTRsdi9JSZPLGhX9H1QO7l4n2A1muOhsXL:dQ6UeeLkMB8bTRskSjeXh+Ok7OhY

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eobbgfm.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. SADHTVG-IPYHZO6-ODQMDUK-ZE6GPEN-FXDEBLO-YJM2SWQ-YOTQJG4-R3KHPCM TV72XVC-WMN4RX4-YFR66AQ-RV5TMD2-C42KSYC-NIKFLLR-S2P4NWQ-XAFA6NI OOETYG4-XWIXE7M-YPSTHH4-XZ2RTMX-WHIAKVA-Q3TDPWR-LM234AR-O7ADDOM Follow the instructions on the server.
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops file in Program Files directory
    PID:600
  • C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe
    "C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe
      "C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:336
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {EEB6C6CD-2FBC-45AA-AC6E-4B26806A3B35} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
      C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
        "C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\upjjgia
    Filesize

    654B

    MD5

    28da8b630b86c543a879f0fcdd1ce547

    SHA1

    2927abf63f194eafd85968663951d87a7996b675

    SHA256

    ec6f6e40f60d24e072bc34f9ba4448b8765d1c05135a1245f677c428fb6f5b92

    SHA512

    3de782c76ecd4ace188651c2884e3534624eb5e11f115e6e69db4ba9bf5f48b1046cbff46ca6e70d030bba0fced957d786ca2e4bf115b1cbc15e7f2cca154d88

    Download Submit
  • C:\ProgramData\Package Cache\upjjgia
    Filesize

    654B

    MD5

    dee5267149404ed8c305f27c5977fc91

    SHA1

    227d75c6168f4e1c263f671aeeca2ca8b2027dab

    SHA256

    d6c0e29c6ccd48598e09784b7c926d9b7decaa12cac864c993d6b9745ba749b2

    SHA512

    f5663eac53a6e66f98e8b17786dc08c423ad959fd80970490214d253d0a3d26d317117cd03640123c36a9fad7b2dfacfe4db16fa42c57985a0d047cabba9115d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
    Filesize

    692KB

    MD5

    eef1051839abf0ad0cbe49488617672f

    SHA1

    d8d42dc918225d20b3388a056fe503f4d5524074

    SHA256

    2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

    SHA512

    a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
    Filesize

    692KB

    MD5

    eef1051839abf0ad0cbe49488617672f

    SHA1

    d8d42dc918225d20b3388a056fe503f4d5524074

    SHA256

    2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

    SHA512

    a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
    Filesize

    692KB

    MD5

    eef1051839abf0ad0cbe49488617672f

    SHA1

    d8d42dc918225d20b3388a056fe503f4d5524074

    SHA256

    2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

    SHA512

    a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

    Download Submit
  • memory/336-65-0x0000000000870000-0x0000000000ABB000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/336-63-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/336-64-0x0000000000401000-0x00000000004A5000-memory.dmp
    Filesize

    656KB

    Download
  • memory/336-54-0x0000000000400000-0x00000000004A5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/336-62-0x0000000000650000-0x000000000086A000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/336-55-0x0000000000400000-0x00000000004A5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/336-61-0x0000000000400000-0x00000000004A5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/336-59-0x0000000000401FA3-mapping.dmp
    Download
  • memory/336-57-0x0000000000400000-0x00000000004A5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/600-81-0x0000000000520000-0x0000000000597000-memory.dmp
    Filesize

    476KB

    Download
  • memory/600-83-0x0000000000520000-0x0000000000597000-memory.dmp
    Filesize

    476KB

    Download
  • memory/1076-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-80-0x0000000000800000-0x0000000000A4B000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1780-74-0x0000000000401FA3-mapping.dmp
    Download