Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05-02-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
Resource
win10v2004-20231215-en
General
-
Target
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
-
Size
662KB
-
MD5
a5d0e995d43232bd4b3d73f8899b7ef0
-
SHA1
46e06085c542f69ca2a78bba9f4eaa0ad77b1713
-
SHA256
597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
-
SHA512
c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
-
SSDEEP
12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc
Malware Config
Extracted
C:\ProgramData\ulbiyui.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wknrxte.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation wknrxte.exe -
Executes dropped EXE 2 IoCs
Processes:
wknrxte.exewknrxte.exepid process 2396 wknrxte.exe 2916 wknrxte.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\F: svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
wknrxte.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wknrxte.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-pdtujmm.bmp" Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pdtujmm.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pdtujmm.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1920 vssadmin.exe -
Processes:
wknrxte.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main wknrxte.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch wknrxte.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" wknrxte.exe -
Modifies data under HKEY_USERS 22 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{351d1101-9b6a-11ee-8f37-ce9b5d0c5de4}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8c41d644-9ba8-11ee-a7cd-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{351d1101-9b6a-11ee-8f37-ce9b5d0c5de4} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{351d1101-9b6a-11ee-8f37-ce9b5d0c5de4}\MaxCapacity = "2047" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00380063003400310064003600340034002d0039006200610038002d0031003100650065002d0061003700630064002d003800300036006500360066003600650036003900360033007d00000030002c007b00330035003100640031003100300031002d0039006200360061002d0031003100650065002d0038006600330037002d006300650039006200350064003000630035006400650034007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8c41d644-9ba8-11ee-a7cd-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8c41d644-9ba8-11ee-a7cd-806e6f6e6963}\MaxCapacity = "14116" svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exewknrxte.exewknrxte.exepid process 1712 VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe 2396 wknrxte.exe 2396 wknrxte.exe 2396 wknrxte.exe 2396 wknrxte.exe 2916 wknrxte.exe 2916 wknrxte.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wknrxte.exedescription pid process Token: SeDebugPrivilege 2396 wknrxte.exe Token: SeDebugPrivilege 2396 wknrxte.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
wknrxte.exepid process 2916 wknrxte.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
wknrxte.exepid process 2916 wknrxte.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wknrxte.exepid process 2916 wknrxte.exe 2916 wknrxte.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
taskeng.exewknrxte.exesvchost.exedescription pid process target process PID 1208 wrote to memory of 2396 1208 taskeng.exe wknrxte.exe PID 1208 wrote to memory of 2396 1208 taskeng.exe wknrxte.exe PID 1208 wrote to memory of 2396 1208 taskeng.exe wknrxte.exe PID 1208 wrote to memory of 2396 1208 taskeng.exe wknrxte.exe PID 2396 wrote to memory of 608 2396 wknrxte.exe svchost.exe PID 608 wrote to memory of 2656 608 svchost.exe DllHost.exe PID 608 wrote to memory of 2656 608 svchost.exe DllHost.exe PID 608 wrote to memory of 2656 608 svchost.exe DllHost.exe PID 2396 wrote to memory of 1264 2396 wknrxte.exe Explorer.EXE PID 2396 wrote to memory of 1920 2396 wknrxte.exe vssadmin.exe PID 2396 wrote to memory of 1920 2396 wknrxte.exe vssadmin.exe PID 2396 wrote to memory of 1920 2396 wknrxte.exe vssadmin.exe PID 2396 wrote to memory of 1920 2396 wknrxte.exe vssadmin.exe PID 2396 wrote to memory of 2916 2396 wknrxte.exe wknrxte.exe PID 2396 wrote to memory of 2916 2396 wknrxte.exe wknrxte.exe PID 2396 wrote to memory of 2916 2396 wknrxte.exe wknrxte.exe PID 2396 wrote to memory of 2916 2396 wknrxte.exe wknrxte.exe PID 608 wrote to memory of 1908 608 svchost.exe DllHost.exe PID 608 wrote to memory of 1908 608 svchost.exe DllHost.exe PID 608 wrote to memory of 1908 608 svchost.exe DllHost.exe PID 608 wrote to memory of 2176 608 svchost.exe wmiprvse.exe PID 608 wrote to memory of 2176 608 svchost.exe wmiprvse.exe PID 608 wrote to memory of 2176 608 svchost.exe wmiprvse.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {31C47B99-B7B8-4DD7-BF5E-82EF2BA5F744} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wknrxte.exeC:\Users\Admin\AppData\Local\Temp\wknrxte.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\wknrxte.exe"C:\Users\Admin\AppData\Local\Temp\wknrxte.exe" -u3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\xwwktjkFilesize
654B
MD5ac10d980eba23bd733c6c2f319cdf3b3
SHA195373b54671cab5ced53a1db31555942a3e84c74
SHA256996cc89d50d956c68da8ae7d5b4bd119eecad656ddc9efaaf2062b6bcd431458
SHA51224db1d767989586f8a0ff38c1c0ba89453d292b2e5386faa60c102a0ce6e5640020e5ab6ed42176703c8057ef504a75bbaf9fa883983de689bce68a525cab095
-
C:\ProgramData\Adobe\xwwktjkFilesize
654B
MD56a243a410c641138de1f28dacd9358d0
SHA16020082c3f1ab5e92a061c0d21b98ebb61df2164
SHA256ec44616f28d31a013812e064d864d71a9549bd1af909c393ed1d8d36ea640ad3
SHA5123d6a0cf526097799849d1f50f024247fb74d1ff6407e0d468bf0086da167df7825f4193c9909082fb26d78beeb69ead6418c5359ceef12b7520c0e4938e1ef27
-
C:\ProgramData\ulbiyui.htmlFilesize
62KB
MD5200fa3637f5ed5b1800600ce7f3f8f52
SHA193837e660ddc74219ba2970b21958b47eb8c7fab
SHA2562726a8bff8d91588635f71866b546346705c763537bcdb9ed01b08800e4eaad3
SHA512cd1a514af7f726d03990f07c5fc39a2ad0ada62ea49e19f2377c6b04d75ee5a8a194510f6999d793c17b1f3754196762d681f2e93911bfb14574227a7bac7eca
-
C:\Users\Admin\AppData\Local\Temp\wknrxte.exeFilesize
640KB
MD5cb3eb9190a67d4a29bf88b0c14b01acf
SHA158ec918a7be2a7c9c027b1710cbebe07f9651881
SHA256a3d46e45eafba5dc674176f9e115162759393d06ddb60a32de14cb6bb650f6ca
SHA512d9acdcd2dced3519462d7b429bb0039be6644a01a099a3720bf8eba3e0763c18b4c7d153580c7367c463f666531c1414315cae2f4d950e96cda7e9f7e772360e
-
C:\Users\Admin\AppData\Local\Temp\wknrxte.exeFilesize
662KB
MD5a5d0e995d43232bd4b3d73f8899b7ef0
SHA146e06085c542f69ca2a78bba9f4eaa0ad77b1713
SHA256597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
SHA512c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
-
memory/608-20-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-1217-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-13-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-9-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-17-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-14-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-19-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-11-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/608-273-0x00000000002D0000-0x0000000000347000-memory.dmpFilesize
476KB
-
memory/1712-1-0x0000000000900000-0x0000000000B4B000-memory.dmpFilesize
2.3MB
-
memory/1712-0-0x00000000006E0000-0x00000000008FA000-memory.dmpFilesize
2.1MB
-
memory/2396-6-0x00000000009A0000-0x0000000000BEB000-memory.dmpFilesize
2.3MB
-
memory/2396-1229-0x00000000009A0000-0x0000000000BEB000-memory.dmpFilesize
2.3MB
-
memory/2396-1240-0x00000000009A0000-0x0000000000BEB000-memory.dmpFilesize
2.3MB
-
memory/2916-1242-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/2916-1243-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/2916-1244-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2916-1246-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/2916-1247-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/2916-1248-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/2916-1249-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB