Overview

overview

10

Static

static

3

samples4.zip

windows7-x64

1

samples4.zip

windows10-2004-x64

1

0e60d49a96...01.exe

windows7-x64

0e60d49a96...01.exe

windows10-2004-x64

1ce5dd21fb...1e.exe

windows7-x64

10

1ce5dd21fb...1e.exe

windows10-2004-x64

10

3c73425d02...e6.exe

windows7-x64

6

3c73425d02...e6.exe

windows10-2004-x64

6

5df6314b5c...5b.exe

windows7-x64

10

5df6314b5c...5b.exe

windows10-2004-x64

10

5ee5166c02...93.exe

windows7-x64

10

5ee5166c02...93.exe

windows10-2004-x64

10

5f7cdd8c28...02.exe

windows7-x64

7

5f7cdd8c28...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0/5ee5166c02636f294fb8f6da69d5c0ae893.exe

  • Size

    2.2MB

  • MD5

    71a4ba0fe0bc0cb450b8966cb585f757

  • SHA1

    eccb76a942b3359d8dbf4c12e6bc3be0c8627eca

  • SHA256

    5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0

  • SHA512

    5748e02e83ea32118013741680be6e2eea398b05cde8c359e0db9126175ce63a4890e7ca654e5a5930970889aa2598c650395972107d41522e55207dd5460c01

  • SSDEEP

    12288:QnQY+2XG1Inz4vM/nlBKSduzxx73zDJnaPxMrFHQJGTTqTdd1o/CMj:QbGOnbzuHT5naPxUHQATTqzi/Cu

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\ProgramData\lcrueog.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 5 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3560
    • C:\Users\Admin\AppData\Local\Temp\5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0\5ee5166c02636f294fb8f6da69d5c0ae893.exe
      "C:\Users\Admin\AppData\Local\Temp\5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0\5ee5166c02636f294fb8f6da69d5c0ae893.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3264
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      2⤵
        PID:2292
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:4880
        • C:\Windows\System32\mousocoreworker.exe
          C:\Windows\System32\mousocoreworker.exe -Embedding
          2⤵
            PID:2260
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            2⤵
              PID:2624
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              2⤵
                PID:3416
              • C:\Windows\system32\backgroundTaskHost.exe
                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                2⤵
                  PID:2492
                • C:\Windows\system32\BackgroundTransferHost.exe
                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                  2⤵
                    PID:4896
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                    2⤵
                      PID:180
                    • C:\Windows\system32\backgroundTaskHost.exe
                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                      2⤵
                        PID:5088
                      • C:\Windows\system32\BackgroundTaskHost.exe
                        "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                        2⤵
                          PID:1420
                      • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                        C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1192
                        • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                          "C:\Users\Admin\AppData\Local\Temp\pcftxel.exe" -u
                          2⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies Internet Explorer settings
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of SetWindowsHookEx
                          PID:4372
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 728
                          2⤵
                          • Program crash
                          PID:1580
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1192 -ip 1192
                        1⤵
                          PID:3416

                        Network

                        MITRE ATT&CK Matrix ATT&CK v13

                        Initial Access

                        Execution

                        Persistence

                        Privilege Escalation

                        Defense Evasion

                        Modify Registry

                        2
                        T1112

                        Credential Access

                        Discovery

                        Query Registry

                        2
                        T1012

                        System Information Discovery

                        3
                        T1082

                        Peripheral Device Discovery

                        1
                        T1120

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Defacement

                        1
                        T1491

                        Resource Development

                        Reconnaissance

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csllzaa
                          Filesize

                          654B

                          MD5

                          be0941561ee986e4e023b75b6ddb2425

                          SHA1

                          2085e0994538f6a48676fbd4909a8990cf5e0369

                          SHA256

                          8710149afed5be5d1411ff22b402f9a68dd5cf738170b681c86274f7dfcf83d2

                          SHA512

                          ee675674c35eeaf3a749e737b3e2e7186faa26bd8b747aa7746d41d5d489a41e4cda70a7682df590522ed8723e5b157df5ce9228c664f57326295acfe259cc58

                          Download Submit
                        • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csllzaa
                          Filesize

                          654B

                          MD5

                          e849abd43c9b7c4ede7aac692d3ec91b

                          SHA1

                          3524bfbe3e737dfafd3c7ba8659a0504d6d23693

                          SHA256

                          f488b40901536fe9404befeba5688422355e69a0da99114722ed604da67786a0

                          SHA512

                          cc054aa1d21dc5dd1de8182713a6ab8b42bd4b12ad127d0e32e3e5bf419050cd59f7dd6114544e908b394a4ed3a3d6cc0f80fadcb82d203986bb8ffe435611af

                          Download Submit
                        • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csllzaa
                          Filesize

                          654B

                          MD5

                          22710014cbcb4c4cfa420f35c780557e

                          SHA1

                          e49906e5f04fafecfccbec7e595cd3b6daf8e24a

                          SHA256

                          fd412ca09aab8b87e7954f61f5da678f4e6e96aa24428bc4ff8916636dd14ca2

                          SHA512

                          d5bfe15e4ca85a8c56cb9f2d5f4d2b60449c2fdc64d121e8d39127490956bd42d8caade771710cf51240db76ba0c13b31da014ad37f7ee94e11d5b7a57c70d1d

                          Download Submit
                        • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csllzaa
                          Filesize

                          654B

                          MD5

                          8f5efa01c7217ea9f9e28fe87ed13df7

                          SHA1

                          7961a1c6599d4db649a2da578468a9d7be074904

                          SHA256

                          c7bac4e7254ec928ffead5688dca22f9c3b6ec86759b167e61628a48f3c01244

                          SHA512

                          b9ee8b830f4cf8c55dc8a581884ef9fc11f17c186f9d3efdba2beb0e01ae7751e255d121417fa145ff8e0c5805e94e07db15fba172ef0bd5cd89ab91731c04ff

                          Download Submit
                        • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csllzaa
                          Filesize

                          654B

                          MD5

                          d3f79c34e1cac921bcdd5670fcacf24c

                          SHA1

                          91dd21f71bc34f827fbcb993c1e2507bdfc4434e

                          SHA256

                          d4bbc984d19458e1242956cb6408ee77cdc05cfda94c4fdb96fba12d3325bc3a

                          SHA512

                          f6cd8dbb3c77912f2891de34800ffa48336a0dd85022510d8cfc1905b02034a12a1faf4b99a1efaf68b620236ace608acffe6e811ec93413605962700666be76

                          Download Submit
                        • C:\ProgramData\lcrueog.html
                          Filesize

                          92KB

                          MD5

                          a5a9fab1f31e3596f8b321efc68d3200

                          SHA1

                          30109f92616bce91d101696951c4b77a934aebc6

                          SHA256

                          d007458ab4b6c924f0ca12b3cc924f3bf2857e0489331eb387cc332c953f360b

                          SHA512

                          443c715052e5be1d39e3a7a7c21e38166e7125d5948a96a8fbc4d7bafab4d9aed839f26b488c69030a6f890ff86cfb86caeed2375c801e20ae0cc27bab0b30cd

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                          Filesize

                          1.0MB

                          MD5

                          b79e10aa53e3f1610dbe2606d5b8c233

                          SHA1

                          ecad09dc23eab74e78ff02e2655566eb5dc39036

                          SHA256

                          5d182cd219ec791fe2d9ee46b141f003baef4b88c0d6c274f1cb1b977690caa2

                          SHA512

                          3a7efa725aaa608a18181927a8e6cf8483249d1a359491e571adf1d3cbbebf8a441fd71adca0a7588ef8aa68914bd5275296a3bbedb83b7618823db933c3151f

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                          Filesize

                          1.4MB

                          MD5

                          1438e80c72f143e3ff7fb9329e1df87f

                          SHA1

                          b6adb1285545d5c5a6e18ada580914e1f57a9162

                          SHA256

                          6263719feef138c624bf4df8e331da67860a643396a20b79a03306b3af072174

                          SHA512

                          4872c8949f6387760e4cf236c1c356665a209f1a671c384e0ac6ff28e5a44ce0cccd0d58c844fbaf66564fa1387aa2564b9262868730745f20c5c7a733ccafb8

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                          Filesize

                          857KB

                          MD5

                          cc2bc9f430872b8600a8b83ab37d50ae

                          SHA1

                          9122b833e1ad0434092cb6d7f4abec4882e108c6

                          SHA256

                          ffb9a1270f7cd52e77d473966c4009203452090a1a5d091abc419e5f137d085d

                          SHA512

                          68ca6ea4c9cab37403d3bd15e448c394426046f98dcccc09cbf420bc56b79efe7288dd11ab6f3ca1bd7ec7a69184e6de5fda000b1bc810ebbc585e3fbe5eb26d

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.eayftga
                          Filesize

                          36KB

                          MD5

                          73e439f82fc759dcd56f28a0414f2fde

                          SHA1

                          340c7e05ee1d44f61aa3852a846f3ec43247297b

                          SHA256

                          99f0bd0f94bf510c4f7813a84184bafa0df786709c28542abb561170d8669c4f

                          SHA512

                          be45e9bce1f5bc7dfaf41c2631dc078d6b67d54abb6dc0d868623bf1920ec4de704f5574f7254e1fa500e30e6ad102ef6c4949facc6bdfd95940c7b7e7d98bbf

                          Download Submit
                        • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
                          Filesize

                          129B

                          MD5

                          a526b9e7c716b3489d8cc062fbce4005

                          SHA1

                          2df502a944ff721241be20a9e449d2acd07e0312

                          SHA256

                          e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                          SHA512

                          d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                          Download Submit
                        • memory/804-19-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-17-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-22-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-248-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-13-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-14-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-3373-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-11-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/804-21-0x000000000C6D0000-0x000000000C747000-memory.dmp
                          Filesize

                          476KB

                          Download
                        • memory/1192-3385-0x0000000001930000-0x0000000001B7B000-memory.dmp
                          Filesize

                          2.3MB

                          Download
                        • memory/1192-8-0x0000000001930000-0x0000000001B7B000-memory.dmp
                          Filesize

                          2.3MB

                          Download
                        • memory/3264-0-0x0000000000BE0000-0x0000000000DFA000-memory.dmp
                          Filesize

                          2.1MB

                          Download
                        • memory/3264-2-0x0000000000E00000-0x000000000104B000-memory.dmp
                          Filesize

                          2.3MB

                          Download
                        • memory/3264-1-0x00000000005D0000-0x00000000005D1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4372-3405-0x0000000000FD0000-0x000000000121B000-memory.dmp
                          Filesize

                          2.3MB

                          Download
                        • memory/4372-3406-0x0000000000FD0000-0x000000000121B000-memory.dmp
                          Filesize

                          2.3MB

                          Download