Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Factuur4388.PDF.exe

windows7-x64

10

Factuur4388.PDF.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factuur4388.PDF.exe

  • Size

    772KB

  • MD5

    95f60b5b36d63307d83e3f3de9675a1d

  • SHA1

    da733991d9618b3a3bb5cc503ba0e860f1e8ea29

  • SHA256

    f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

  • SHA512

    de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

  • SSDEEP

    12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU

Score
10/10
ctblockerdefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\yxamqxj.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:2140
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        2⤵
          PID:2056
        • C:\Windows\system32\wbem\wmiprvse.exe
          C:\Windows\system32\wbem\wmiprvse.exe -Embedding
          2⤵
            PID:692
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Sets desktop wallpaper using registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
              C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1836
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {7EE93F14-A2B5-4100-AB1C-5A1DF9AE9D45} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
            C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1276
            • C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
              C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2176
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows all
                4⤵
                • Interacts with shadow copies
                PID:1680
              • C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
                "C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe" -u
                4⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1300
                • C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
                  C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:320

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft Help\pvglbdi
          Filesize

          654B

          MD5

          7e4c95b3e87edaf4ec8cd570f32151dc

          SHA1

          927e2e92a4ba6a5e34eb6962a74569c06e8d83d3

          SHA256

          d381db02620c4b390c93389d73b266574d6dea9a8a76f2c88a29deb53fc5dda8

          SHA512

          0450af5768d5c35805fa5195ecf81a14f827f83e9429edf4ac9c547277b6bcbf4e76b22350f12802531b5a82022006821cd886cd97fd380a53f70d432a871754

          Download Submit

        • C:\ProgramData\Microsoft Help\pvglbdi
          Filesize

          654B

          MD5

          8d0975483ba29024f80925e61729c9eb

          SHA1

          4020d13cb0ed157b08f82bbb8017b748f8c156b5

          SHA256

          57150acb370d65f76a62b859eef0f379a3491adb9191d6ad56a6cbef08ceab34

          SHA512

          2288448ea5fcefe4c7bb0e9899c161057efff5f6dfb1cfd23a6d7ab0717b753dc66ed8186eb1574b7db7e19fc6ee2b9404e254702e7432795a9c42afdaae6c43

          Download Submit

        • C:\ProgramData\Microsoft Help\pvglbdi
          Filesize

          654B

          MD5

          6a934b98a21d6d143da031474fb2b0db

          SHA1

          3299b45bb319023ecc24ad9772b03897fc18fb6e

          SHA256

          0fda3b44de4c42327fe925a7569093042ea1f03fa8a457fc3aa9a5a3e67b50ea

          SHA512

          691f6884809bb3355ccfc811d548db4110c752da33016494306309592ef1bdba82af868ca6ba83a2a9147e8b19034924e3d46785cf22dc39d5635f434623d6c8

          Download Submit

        • C:\ProgramData\yxamqxj.html
          Filesize

          64KB

          MD5

          0c988a52f02b9a25943a50990f6a55e5

          SHA1

          da7307cd2ccdaea8c16d438e32f3a3e69f7fab53

          SHA256

          faf118e14a9d9112246f81352a3824d6e3064de7ee1a785fd10ffcf759ae329c

          SHA512

          755ca0505db24807d80321ec52dece11aab226d9e5c5ce03e6fe30660cdb9f8a5ddc624f1cb5a63f2ef507e7ebc3234de50ce2afe2c2bc12d6a8466957bce7ff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\byqlwkh.exe
          Filesize

          772KB

          MD5

          95f60b5b36d63307d83e3f3de9675a1d

          SHA1

          da733991d9618b3a3bb5cc503ba0e860f1e8ea29

          SHA256

          f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

          SHA512

          de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
          Filesize

          129B

          MD5

          a526b9e7c716b3489d8cc062fbce4005

          SHA1

          2df502a944ff721241be20a9e449d2acd07e0312

          SHA256

          e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

          SHA512

          d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

          Download Submit

        • memory/320-1315-0x0000000028B80000-0x0000000028DCB000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/320-1314-0x0000000028B80000-0x0000000028DCB000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/592-1277-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-49-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-53-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-47-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-45-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-42-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-41-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-38-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/592-39-0x00000000003E0000-0x0000000000457000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1276-20-0x0000000000400000-0x00000000004C1000-memory.dmp

          Filesize

          772KB

          Download

        • memory/1836-7-0x0000000000400000-0x0000000001400000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1836-15-0x0000000000401000-0x00000000004A5000-memory.dmp

          Filesize

          656KB

          Download

        • memory/1836-2-0x00000000001B0000-0x00000000002AA000-memory.dmp

          Filesize

          1000KB

          Download

        • memory/1836-12-0x0000000000400000-0x0000000001400000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1836-10-0x0000000000400000-0x0000000001400000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1836-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1836-4-0x0000000000400000-0x0000000001400000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1836-14-0x00000000289B0000-0x0000000028BFB000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1836-13-0x0000000028790000-0x00000000289AA000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2176-1289-0x0000000028940000-0x0000000028B8B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2176-35-0x0000000028940000-0x0000000028B8B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2176-1300-0x0000000028940000-0x0000000028B8B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2176-34-0x0000000000400000-0x00000000004A4600-memory.dmp

          Filesize

          657KB

          Download

        • memory/2176-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3068-0-0x0000000000280000-0x0000000000284000-memory.dmp

          Filesize

          16KB

          Download