Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
Resource
win10v2004-20231215-en
General
-
Target
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
-
Size
662KB
-
MD5
a5d0e995d43232bd4b3d73f8899b7ef0
-
SHA1
46e06085c542f69ca2a78bba9f4eaa0ad77b1713
-
SHA256
597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
-
SHA512
c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
-
SSDEEP
12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc
Malware Config
Extracted
C:\ProgramData\grrgxfk.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nvneoqg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation nvneoqg.exe -
Executes dropped EXE 2 IoCs
Processes:
nvneoqg.exenvneoqg.exepid process 1828 nvneoqg.exe 1192 nvneoqg.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\F: svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
nvneoqg.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE nvneoqg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies nvneoqg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 nvneoqg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini nvneoqg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 nvneoqg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-klobozg.bmp" Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
nvneoqg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch nvneoqg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" nvneoqg.exe -
Modifies data under HKEY_USERS 23 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-d01200000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-d01200000000}\NukeOnDelete = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-d01200000000}\MaxCapacity = "14116" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-f0ff3a000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00310038003100320032006200360063002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00310038003100320032006200360063002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exenvneoqg.exepid process 3160 VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe 3160 VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe 1828 nvneoqg.exe 1828 nvneoqg.exe 1828 nvneoqg.exe 1828 nvneoqg.exe 1828 nvneoqg.exe 1828 nvneoqg.exe 1828 nvneoqg.exe 1828 nvneoqg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nvneoqg.exedescription pid process Token: SeDebugPrivilege 1828 nvneoqg.exe Token: SeDebugPrivilege 1828 nvneoqg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
nvneoqg.exepid process 1192 nvneoqg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
nvneoqg.exepid process 1192 nvneoqg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
nvneoqg.exepid process 1192 nvneoqg.exe 1192 nvneoqg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
nvneoqg.exesvchost.exedescription pid process target process PID 1828 wrote to memory of 796 1828 nvneoqg.exe svchost.exe PID 796 wrote to memory of 2508 796 svchost.exe mousocoreworker.exe PID 796 wrote to memory of 2508 796 svchost.exe mousocoreworker.exe PID 796 wrote to memory of 3120 796 svchost.exe DllHost.exe PID 796 wrote to memory of 3120 796 svchost.exe DllHost.exe PID 1828 wrote to memory of 3380 1828 nvneoqg.exe Explorer.EXE PID 1828 wrote to memory of 1192 1828 nvneoqg.exe nvneoqg.exe PID 1828 wrote to memory of 1192 1828 nvneoqg.exe nvneoqg.exe PID 1828 wrote to memory of 1192 1828 nvneoqg.exe nvneoqg.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exeC:\Users\Admin\AppData\Local\Temp\nvneoqg.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe"C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe" -u2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistribution\efxilmeFilesize
654B
MD58e9afd635533ce087be8829a27e998a7
SHA1044425f7d0b0a6ddfa76ea9df8b3e4000caa2da1
SHA2561b340cb6caf8630c304ee3067a12ab448f2f52525bdb81960376a8d7106ca005
SHA51210eb00be32ecffe9a27ca1f719e43de1c691a78ffc02b5a192266d8372eaa5d84be264bdb541ecb139de2f9dc760719185f17681bd2040c1e2ce0cfa15270f72
-
C:\ProgramData\SoftwareDistribution\efxilmeFilesize
654B
MD586d586d5974e8d2a68324fe6fe97e942
SHA1df56985099adfd1c1667f1e70fe4583988359b99
SHA2561be70bc3b6d1ae721b053d63ffc2b61a2867dc54f9b59f908d73f882bd1dcff6
SHA512d1dce1afa0ce421c95066be7d26f7bf193d760fa3c1d034c93ab73cf5c6a0742ef5b1fc487edbe05450cf8a35d94bb63f97118dd34678642033ccf666b17bfde
-
C:\ProgramData\SoftwareDistribution\efxilmeFilesize
654B
MD54c57a449f01392139d82531f55c75292
SHA15c506ed64d9e0c8bc81cc35d16097ed90252997a
SHA256c755941b7ee43a3eb80100ebc03287dd495e96e1984acac856a5dbe3c1f9c9f4
SHA51205d3371d46b2cbdfb05fc1dc6ca5d18e15946a398d033d1c6a9a776cb5c066463c0cbc603a49797322a78f6cbee51a1b3f68415eea2733aacb941a83476fcb82
-
C:\ProgramData\SoftwareDistribution\efxilmeFilesize
654B
MD5b36f7b80c67981ba03e93b40bbe224b9
SHA1e3f5b76fc3b17faf53048474d72ce1efd3183515
SHA256bb120dfb39c8e7cff3e2c826a262058ee8bb6e854eca67261492788e39c0b12c
SHA5125c60f21ef42f4c5838f72e193dce196afb789deea11c1fea931a2a3c2180dc1892f44fc6645bf68cb2a5a84946569d5a3b434d0042daddf8607962a993846937
-
C:\ProgramData\grrgxfk.htmlFilesize
61KB
MD5bef32ef7f3e8ecf85f068c1b69d8fe9c
SHA1db74e9f70778e074d25385fbdb71e0c30e6f6080
SHA25622298f2e16d143eed340e66bee3a236309e758175849bf366fdd76fe6f31e504
SHA5129c36fbe4b6bd148afbeb0617df2e4da60f01ffca8e48631c9861750b04d99466f0707d39faddcab80bd29b36d894750e43e47e8b8fec7d25a7aed40a8341b3a9
-
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exeFilesize
662KB
MD5a5d0e995d43232bd4b3d73f8899b7ef0
SHA146e06085c542f69ca2a78bba9f4eaa0ad77b1713
SHA256597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
SHA512c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.klobozgFilesize
36KB
MD5bb430a25f8e39b9712c2377fc0e6d806
SHA11abc7a8ec7a4062753fa84a1f50fe01d9980a069
SHA2568da581fd9203086d41cfa3bfafc44defd93c234b42a7d3a4f947fb11625a793f
SHA5121b5e8b2976633951cc10c7d74208a8c5401361e3976b9499fc8ae26fdc09dc2a520b88f3737e09cbdbdfda3de6975157cf8eacf606db8ac911faee7fe8d7e158
-
memory/796-11-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-3393-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-17-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-19-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-20-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-550-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-12-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-15-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/796-9-0x0000000038830000-0x00000000388A7000-memory.dmpFilesize
476KB
-
memory/1192-3424-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/1192-3425-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/1828-3405-0x0000000000A00000-0x0000000000C4B000-memory.dmpFilesize
2.3MB
-
memory/1828-6-0x0000000000A00000-0x0000000000C4B000-memory.dmpFilesize
2.3MB
-
memory/3160-0-0x0000000000900000-0x0000000000B1A000-memory.dmpFilesize
2.1MB
-
memory/3160-1-0x0000000000B20000-0x0000000000D6B000-memory.dmpFilesize
2.3MB