a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91

Analysis

max time kernel
152s
max time network
52s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
Size

140KB
MD5

d06a88f85f14fa2951739cc0b565ac52
SHA1

8d6b94956c7cf0787c6043a3d372f98c3b55307e
SHA256

a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91
SHA512

c6f5561d1554201331e98fac4045d50f72b89c3b2defefcb56e694ddc762894b95ba32a496c137ff6fc9f712fad9140964eba0833679d57ca14d092d600402bd
SSDEEP

1536:YnJFc6Xg/VwssUfw5GZS5u61rC634cmY77UsMJXGoQDnzqLcTJLO01DvqlWgB0gZ:mJFc6QtRLYt77UsMJXGoFDwfG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ctdol.exe

Executes dropped EXE 1 IoCs

pid	Process
1344	ctdol.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /v"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /w"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /p"	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /e"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /j"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /i"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /h"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /x"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /l"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /p"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /f"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /g"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /a"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /d"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /u"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /z"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /k"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /r"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /y"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /s"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /m"	ctdol.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /t"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /o"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /n"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /c"	ctdol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctdol = "C:\\Users\\Admin\\ctdol.exe /b"	ctdol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe
1344	ctdol.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
1344	ctdol.exe
1344	ctdol.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1344	1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe	28
PID 1348 wrote to memory of 1344	1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe	28
PID 1348 wrote to memory of 1344	1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe	28
PID 1348 wrote to memory of 1344	1348	a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe	28

C:\Users\Admin\AppData\Local\Temp\a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe
"C:\Users\Admin\AppData\Local\Temp\a2ca1f29e154ba98b589967c2ca5fcf5e96f0f3c0e1a6fbe740e0d29b907fa91.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\ctdol.exe
  "C:\Users\Admin\ctdol.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ctdol.exe

Filesize
140KB

MD5
3e6dc07ca61376ac31d604cc71f39102

SHA1
68cd9d5005e56ca945404195d869abad36b09939

SHA256
4871462caac6bc2b3b13745148b13601507f5073091d12bf7e01244912d114c8

SHA512
b57151006f5752826d838394f8e5f39be5b0ba3bf27cf20df132d571e820895da1abe919f7ec2a95e803a69a48447508a076c8e6312c5b46ef292ffbce4c1d33

Download Submit
C:\Users\Admin\ctdol.exe

Filesize
140KB

MD5
3e6dc07ca61376ac31d604cc71f39102

SHA1
68cd9d5005e56ca945404195d869abad36b09939

SHA256
4871462caac6bc2b3b13745148b13601507f5073091d12bf7e01244912d114c8

SHA512
b57151006f5752826d838394f8e5f39be5b0ba3bf27cf20df132d571e820895da1abe919f7ec2a95e803a69a48447508a076c8e6312c5b46ef292ffbce4c1d33

Download Submit
\Users\Admin\ctdol.exe

Filesize
140KB

MD5
3e6dc07ca61376ac31d604cc71f39102

SHA1
68cd9d5005e56ca945404195d869abad36b09939

SHA256
4871462caac6bc2b3b13745148b13601507f5073091d12bf7e01244912d114c8

SHA512
b57151006f5752826d838394f8e5f39be5b0ba3bf27cf20df132d571e820895da1abe919f7ec2a95e803a69a48447508a076c8e6312c5b46ef292ffbce4c1d33

Download Submit
\Users\Admin\ctdol.exe

Filesize
140KB

MD5
3e6dc07ca61376ac31d604cc71f39102

SHA1
68cd9d5005e56ca945404195d869abad36b09939

SHA256
4871462caac6bc2b3b13745148b13601507f5073091d12bf7e01244912d114c8

SHA512
b57151006f5752826d838394f8e5f39be5b0ba3bf27cf20df132d571e820895da1abe919f7ec2a95e803a69a48447508a076c8e6312c5b46ef292ffbce4c1d33

Download Submit
memory/1348-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download