Overview

overview

10

Static

static

3

samples4.zip

windows7-x64

1

samples4.zip

windows10-2004-x64

1

0e60d49a96...01.exe

windows7-x64

0e60d49a96...01.exe

windows10-2004-x64

1ce5dd21fb...1e.exe

windows7-x64

10

1ce5dd21fb...1e.exe

windows10-2004-x64

10

3c73425d02...e6.exe

windows7-x64

6

3c73425d02...e6.exe

windows10-2004-x64

6

5df6314b5c...5b.exe

windows7-x64

10

5df6314b5c...5b.exe

windows10-2004-x64

10

5ee5166c02...93.exe

windows7-x64

10

5ee5166c02...93.exe

windows10-2004-x64

10

5f7cdd8c28...02.exe

windows7-x64

7

5f7cdd8c28...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0/5ee5166c02636f294fb8f6da69d5c0ae893.exe

  • Size

    2.2MB

  • MD5

    71a4ba0fe0bc0cb450b8966cb585f757

  • SHA1

    eccb76a942b3359d8dbf4c12e6bc3be0c8627eca

  • SHA256

    5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0

  • SHA512

    5748e02e83ea32118013741680be6e2eea398b05cde8c359e0db9126175ce63a4890e7ca654e5a5930970889aa2598c650395972107d41522e55207dd5460c01

  • SSDEEP

    12288:QnQY+2XG1Inz4vM/nlBKSduzxx73zDJnaPxMrFHQJGTTqTdd1o/CMj:QbGOnbzuHT5naPxUHQATTqzi/Cu

Score
10/10
ctblockerransomware

Malware Config

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of UnmapMainImage
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0\5ee5166c02636f294fb8f6da69d5c0ae893.exe
      "C:\Users\Admin\AppData\Local\Temp\5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0\5ee5166c02636f294fb8f6da69d5c0ae893.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2676
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      2⤵
        PID:2560
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:1336
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {DA96CEF5-8231-4C57-8C72-6C078EC0B9FE} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe
          C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows all
            3⤵
            • Interacts with shadow copies
            PID:1524
          • C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe
            "C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe" -u
            3⤵
            • Executes dropped EXE
            PID:800

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Adobe\fkayusg
        Filesize

        654B

        MD5

        b835d5d36dd5ad8e66e2b809a5dd3839

        SHA1

        d20d121c209dcf0d12cbf5da16de80e7159838f9

        SHA256

        bc0d58f65ea394bd70903960dfa8613acad4901e35f8a10cab5df6789b6672e9

        SHA512

        4037988e0c4e4ea0d283230229eb88076f7f4f163ce8f4e95b60d5b24fb93ac6d41c841e822b95097a42f202cefef6bbc4ef3bce4a12526625a794dbeca3a733

        Download Submit
      • C:\ProgramData\Adobe\fkayusg
        Filesize

        654B

        MD5

        d4c3ab1feac13d04b2a2a73602f40aed

        SHA1

        beee1ca749cd62616172d5b14695f1aa40060a16

        SHA256

        c85cba278eb93b9c0c6f19636f23bcfe39577ba16da703fe1d012b19ce3edcbb

        SHA512

        d96b70818421be7ea1689dbff06fcdf62eb160c32cf63e83a098255b72ca239419a9bd8b4b0be9506ac7a4061df89949c5006c672f47a3d52c23c4b48414a081

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe
        Filesize

        1.1MB

        MD5

        b825019cda619718ed5c704327d8832d

        SHA1

        305ca2cd4dac0c560ee4bec107a8a3fdfaa4ec95

        SHA256

        f210148ae3309d2a6adb8442c730dc44ce2cf89db3cd0b467a0322a97c6853b8

        SHA512

        d993ee286274b1f5df35677dbe85dbe2629a6f8d569bbfb4df05282b8aeb250ca7b1eba6bc10bbfc94742d2d1b930a1126e30636314aa1f472a427d0f5b836e5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe
        Filesize

        844KB

        MD5

        c7a4045f61227cbc8d16e4fe8a07ff63

        SHA1

        a4bc953936cda6de6958fa91ad5f44e3e9bff5bd

        SHA256

        a127ad26fed4453f4150f8d527a82e698be2eac4820953df54565cd1ecfbe6d9

        SHA512

        9fbb74410dd200cd6b6ebfcc99c89d6a58d64a2c880b33bcdb9df58f0ae487022433ab057c04e77ac9966997f8d07a7b7e5c2b1d15f163d085e3bd76b52813b3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xuwiumk.exe
        Filesize

        462KB

        MD5

        71552eb371b63cb3c482dba415cbd032

        SHA1

        228ec45275065ebc0a0492a5fdc66cf626696af5

        SHA256

        8abbc04966d9f4566c5f2a008181aa4013d42a53898b2637b79042f7419e6ff1

        SHA512

        90c5920be8c566cc3c8fa7a71835318bce941d26e61bcae3b76f608afe1980435ab2e217359d8ba17b377bf3dcc68e7892d48d5f9977324764ea561a32aeea4d

        Download Submit
      • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
        Filesize

        129B

        MD5

        a526b9e7c716b3489d8cc062fbce4005

        SHA1

        2df502a944ff721241be20a9e449d2acd07e0312

        SHA256

        e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

        SHA512

        d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

        Download Submit
      • memory/608-1222-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-21-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-14-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-15-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-18-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-11-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-20-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-12-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/608-324-0x0000000000510000-0x0000000000587000-memory.dmp
        Filesize

        476KB

        Download
      • memory/2676-1-0x0000000000030000-0x0000000000031000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2676-2-0x00000000007E0000-0x0000000000A2B000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2676-0-0x00000000005C0000-0x00000000007DA000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2736-8-0x0000000000B10000-0x0000000000D5B000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2736-1234-0x0000000000B10000-0x0000000000D5B000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2736-1244-0x0000000000B10000-0x0000000000D5B000-memory.dmp
        Filesize

        2.3MB

        Download