ctblocker | 995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f24e6374518fa7aed3d24a064a03bd23.exe
Size

654KB
MD5

f24e6374518fa7aed3d24a064a03bd23
SHA1

d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256

995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512

de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
SSDEEP

12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\ProgramData\qfxncnc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	kxwldsk.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	kxwldsk.exe
1376	kxwldsk.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	kxwldsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	kxwldsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	kxwldsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	kxwldsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	kxwldsk.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-agkjcae.bmp"	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5004	3056	WerFault.exe	36

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	kxwldsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	kxwldsk.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{05dfbecd-0000-0000-0000-f0ff3a000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{05dfbecd-0000-0000-0000-d01200000000}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{05dfbecd-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{05dfbecd-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00300035006400660062006500630064002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00300035006400660062006500630064002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{05dfbecd-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{05dfbecd-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133477573302355452"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477574361107627"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477574376574218"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477573921886730"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133477574040168034"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133471171616417351"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133477574377199277"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133477573602199377"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133477574619230654"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477574613136707"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133471171619698588"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477574609386974"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133471171621417396"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477573190867256"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133477574614074230"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133477573594855525"	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1196	f24e6374518fa7aed3d24a064a03bd23.exe
1196	f24e6374518fa7aed3d24a064a03bd23.exe
3056	kxwldsk.exe
3056	kxwldsk.exe
3056	kxwldsk.exe
3056	kxwldsk.exe
3056	kxwldsk.exe
3056	kxwldsk.exe
3056	kxwldsk.exe
3056	kxwldsk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	kxwldsk.exe
Token: SeDebugPrivilege	3056	kxwldsk.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	kxwldsk.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1376	kxwldsk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1376	kxwldsk.exe
1376	kxwldsk.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 804	3056	kxwldsk.exe	11
PID 804 wrote to memory of 4176	804	svchost.exe	94
PID 804 wrote to memory of 4176	804	svchost.exe	94
PID 804 wrote to memory of 5116	804	svchost.exe	96
PID 804 wrote to memory of 5116	804	svchost.exe	96
PID 804 wrote to memory of 3284	804	svchost.exe	99
PID 804 wrote to memory of 3284	804	svchost.exe	99
PID 3056 wrote to memory of 3432	3056	kxwldsk.exe	51
PID 3056 wrote to memory of 1376	3056	kxwldsk.exe	102
PID 3056 wrote to memory of 1376	3056	kxwldsk.exe	102
PID 3056 wrote to memory of 1376	3056	kxwldsk.exe	102
PID 804 wrote to memory of 4908	804	svchost.exe	105
PID 804 wrote to memory of 4908	804	svchost.exe	105
PID 804 wrote to memory of 4908	804	svchost.exe	105
PID 804 wrote to memory of 1404	804	svchost.exe	107
PID 804 wrote to memory of 1404	804	svchost.exe	107
PID 804 wrote to memory of 1404	804	svchost.exe	107
PID 804 wrote to memory of 1292	804	svchost.exe	108
PID 804 wrote to memory of 1292	804	svchost.exe	108
PID 804 wrote to memory of 2968	804	svchost.exe	109
PID 804 wrote to memory of 2968	804	svchost.exe	109
PID 804 wrote to memory of 2968	804	svchost.exe	109
PID 804 wrote to memory of 2540	804	svchost.exe	110
PID 804 wrote to memory of 2540	804	svchost.exe	110
PID 804 wrote to memory of 4072	804	svchost.exe	112
PID 804 wrote to memory of 4072	804	svchost.exe	112
PID 804 wrote to memory of 4072	804	svchost.exe	112
PID 804 wrote to memory of 2164	804	svchost.exe	113
PID 804 wrote to memory of 2164	804	svchost.exe	113
PID 804 wrote to memory of 2164	804	svchost.exe	113
PID 804 wrote to memory of 3684	804	svchost.exe	114
PID 804 wrote to memory of 3684	804	svchost.exe	114
PID 804 wrote to memory of 3684	804	svchost.exe	114
PID 804 wrote to memory of 1672	804	svchost.exe	115
PID 804 wrote to memory of 1672	804	svchost.exe	115
PID 804 wrote to memory of 1672	804	svchost.exe	115
PID 804 wrote to memory of 4812	804	svchost.exe	116
PID 804 wrote to memory of 4812	804	svchost.exe	116
PID 804 wrote to memory of 4812	804	svchost.exe	116
PID 804 wrote to memory of 3028	804	svchost.exe	117
PID 804 wrote to memory of 3028	804	svchost.exe	117
PID 804 wrote to memory of 768	804	svchost.exe	118
PID 804 wrote to memory of 768	804	svchost.exe	118
PID 804 wrote to memory of 768	804	svchost.exe	118

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\System32\wuapihost.exe
  C:\Windows\System32\wuapihost.exe -Embedding
  2⤵
  PID:4176
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:5116
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3284
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4908
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1404
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:1292
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2540
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4072
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2164
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3684
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1672
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:4812
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3028
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:768

C:\Users\Admin\AppData\Local\Temp\f24e6374518fa7aed3d24a064a03bd23.exe
"C:\Users\Admin\AppData\Local\Temp\f24e6374518fa7aed3d24a064a03bd23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe
C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe
  "C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe" -u
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 704
  2⤵
  - Program crash
  PID:5004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3056 -ip 3056
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\qdqwduh

Filesize
654B

MD5
b265c63aa25bfed115269a1f6105ea42

SHA1
bc6e3831c0688a0a5b73e41deafa4a3744380649

SHA256
1fe287dbe485901540208c179d6dbb3608f7eb627e23c0d5b8e4c763134ab0d8

SHA512
ca33cd02aef17d1bb4d142787bdff6dabd26c05926fcdf8ebbc119ff311f07816d5afeb7f78a57fc89050b514091667fd52b302532580d8edd0530539e70a96c

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\qdqwduh

Filesize
654B

MD5
54bf8b5a8b5552f3febbcbf83497c62e

SHA1
b68d7fc423e6dcbbfd75c51e15014f1cd4915d58

SHA256
bf6ce10f062a88402e7bcf266e303bb9c896601d344eaa30e825431bd1c0cbb2

SHA512
24aaa0462e4d423dad22d3e747f45c784b93b63df922a542dd3092e26b4ab10bdfe8ac6b190ab3182687b1245f1a1a36df3f139ec5d5770f31ed338e8535df8e

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\qdqwduh

Filesize
654B

MD5
63c8b0611543397d1155817ded1e7ba5

SHA1
e27732783e1723484c12094c15e53f8d7b6e40bc

SHA256
9a74304ed81857949f5fec63e208985544b6d7d8a882250588fea4a3c0d9c974

SHA512
9da2dcb6d396502e33ff04d07259b68a7073d71d55ae75cd12fb02686e246e492c845a40dbf2f06a2927ba4a3fe93f2d8e278ee5b652a8d630aeeefbbc19170a

Download Submit
C:\ProgramData\qfxncnc.html

Filesize
128KB

MD5
ba847d4e0cd04b09ced31b31212fd128

SHA1
2c1893e76962d47092a23eded6a290389da531c1

SHA256
27d24091d4ba34d478a1da91ef4df652ce4367c229a78b910061d524e7910080

SHA512
4b22b3208509a431c579be294d0e1d7281f09673cea8071f8617bc9362947a19f8678e1ace90b53d607253192ab7e07fa8d5759033535676799f52813205b4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe

Filesize
115KB

MD5
8499eb72c879d9a650914a722c4f1a4e

SHA1
11e48ffdd9c43844be25b0ac4a6a93a0a18c0d1b

SHA256
2493681bf9cd163deff8804bb9e684a97e9f2770ab1c9e78acfefb758a16471b

SHA512
b945f9ab51b73331a61f5357d92df8b6f30f5f5af3546b0138c4fa0fecea406b2d3c25fd1f984d2145c16daea22632ead59bce05529c45763961560212c623a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe

Filesize
654KB

MD5
f24e6374518fa7aed3d24a064a03bd23

SHA1
d0ffebdb6e5f97c2842d5578f889345b88224d5c

SHA256
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22

SHA512
de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxwldsk.exe

Filesize
64KB

MD5
59a68f3e5f8060aa2a97aeeeb9975afe

SHA1
fbd2993a332ff5f710a727af42a370bf31cd8bee

SHA256
c307f034d2a15096d2e3808cdd48f2e9a5b3cc89332648ce2e4547360c0c4584

SHA512
468dcd62ebe9be80b2ea092780148d4d5db4d49327f0d454efb4c09f592aa1c3130b7de1e94af7f736f034a617e411710aeb032f53049331d4680f8b617fe74c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.agkjcae

Filesize
36KB

MD5
a94ed064aa5413089ac6c913162e1a9a

SHA1
6b305cb651eebab1f9148eb03eb2e4bc73280263

SHA256
6c5441e2a2e0892de51cc3b18fd993d9300fd0d13d4c9a9dc99eff05a5eaaf3d

SHA512
082fcdeafb85d128d444e311c4733a23fa3b19bcbc1e6abfc2d609c23fb949e62335fe6ca499bf4644532fb1682371d022b024015fbf1baa1c5f1955f3452942

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/804-220-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-15-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-9-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-19-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-221-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-12-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-3373-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-11-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/804-17-0x0000000033EF0000-0x0000000033F67000-memory.dmp

Filesize
476KB

Download
memory/1196-0-0x00000000015D0000-0x00000000017EA000-memory.dmp

Filesize
2.1MB

Download
memory/1196-1-0x00000000017F0000-0x0000000001A3B000-memory.dmp

Filesize
2.3MB

Download
memory/1376-3404-0x00000000010B0000-0x00000000012FB000-memory.dmp

Filesize
2.3MB

Download
memory/1376-3405-0x00000000010B0000-0x00000000012FB000-memory.dmp

Filesize
2.3MB

Download
memory/3056-3385-0x00000000012C0000-0x000000000150B000-memory.dmp

Filesize
2.3MB

Download
memory/3056-6-0x00000000012C0000-0x000000000150B000-memory.dmp

Filesize
2.3MB

Download