Overview

overview

10

Static

static

3

9cd4cebf8b...fa.exe

windows7-x64

10

9cd4cebf8b...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cd4cebf8b04cd6864b59e4c0cf4aafa.exe

  • Size

    654KB

  • MD5

    9cd4cebf8b04cd6864b59e4c0cf4aafa

  • SHA1

    2287faa3026c5981f3796268112998ac1c06c5d3

  • SHA256

    748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

  • SHA512

    03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

  • SSDEEP

    12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\ProgramData\lcqvpnk.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\9cd4cebf8b04cd6864b59e4c0cf4aafa.exe
      "C:\Users\Admin\AppData\Local\Temp\9cd4cebf8b04cd6864b59e4c0cf4aafa.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2428
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:2516
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
        2⤵
          PID:1668
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          2⤵
            PID:1976
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {5A7B7C7A-C460-48A7-A26A-792E3C02489B} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Users\Admin\AppData\Local\Temp\dghogfg.exe
            C:\Users\Admin\AppData\Local\Temp\dghogfg.exe
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2072
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows all
              3⤵
              • Interacts with shadow copies
              PID:2348
            • C:\Users\Admin\AppData\Local\Temp\dghogfg.exe
              "C:\Users\Admin\AppData\Local\Temp\dghogfg.exe" -u
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:1984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\zlmjlte
          Filesize

          654B

          MD5

          140165a09a03f678f2c32cf9706d3c03

          SHA1

          d6e8400cab0f298f1ebad97962730ef6e5871602

          SHA256

          2f0f2b9d8af9705a44099e4bf334815224ea8528b8374b4153bcc264f7dfb12f

          SHA512

          c011fdd95e018a173c0c270507a39e48af110100959b8c3f58646712cfe98901e43e597452f2000fa592d23911b24feaa45c8f8c97162174dc7e3d9d7b3af477

          Download Submit

        • C:\ProgramData\Microsoft\zlmjlte
          Filesize

          654B

          MD5

          4295435c54b916f2050e5d13e1c7c3c6

          SHA1

          0b8d9a6483d779e586ce1e9027f79d149895ca35

          SHA256

          1b0baa5c69d9f600d673bd1b83ca1ac02d3a076f4bfe50ded0dec22c63091b4a

          SHA512

          908319506c6c9750b6e072ba553fa8d6170ff73589bd6da97e5a95a44b5a4cb863d21c677bd90dc6fa5a28f6119521693621158fdb27cae2515d4b751618a9d4

          Download Submit

        • C:\ProgramData\lcqvpnk.html
          Filesize

          62KB

          MD5

          05bd3640706531c64595294ebbb2a801

          SHA1

          c57ee697cde98019044dded717794bff2e5a115c

          SHA256

          35c722f9e522d854ff88e42037abff5165d0d10d56e069295b537ba939aec561

          SHA512

          e54a334d151900598eb91d65e339508c03254c701bc2c38ee5585a81d88525fee5b80c67c6b4c749d103b1d13a07438e2c1f8b4afd6b5c0ad05166e26cf0b31a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dghogfg.exe
          Filesize

          654KB

          MD5

          9cd4cebf8b04cd6864b59e4c0cf4aafa

          SHA1

          2287faa3026c5981f3796268112998ac1c06c5d3

          SHA256

          748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

          SHA512

          03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
          Filesize

          129B

          MD5

          a526b9e7c716b3489d8cc062fbce4005

          SHA1

          2df502a944ff721241be20a9e449d2acd07e0312

          SHA256

          e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

          SHA512

          d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

          Download Submit

        • memory/584-10-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-9-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-13-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-12-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-16-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-18-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-20-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-320-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/584-1212-0x0000000000260000-0x00000000002D7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1984-1237-0x0000000000680000-0x00000000008CB000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1984-1238-0x0000000000680000-0x00000000008CB000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1984-1239-0x0000000000180000-0x0000000000181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1984-1241-0x0000000000180000-0x0000000000181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2072-6-0x0000000000720000-0x000000000096B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2072-1224-0x0000000000720000-0x000000000096B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2428-0-0x0000000000930000-0x0000000000B4A000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2428-1-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download