Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 08:49
Static task
static1
Behavioral task
behavioral1
Sample
ctrsys.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ctrsys.exe
Resource
win10v2004-20240802-en
General
-
Target
ctrsys.exe
-
Size
183KB
-
MD5
3870e4591ce517d956771e23c361582d
-
SHA1
28d09d35d3e5a8490ef4a4ebaa36262fa411afba
-
SHA256
2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d
-
SHA512
61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1
-
SSDEEP
3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh
Malware Config
Extracted
C:\MNYHU2Jh1.README.txt
https://coinatmradar.com
https://www.moonpay.com/buy
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000017462-10.dat family_lockbit -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2792 LB3.exe 2960 3B6B.tmp -
Loads dropped DLL 3 IoCs
pid Process 2872 ctrsys.exe 2872 ctrsys.exe 2792 LB3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdate\\JavaUpdate.exe" ctrsys.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MNYHU2Jh1.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MNYHU2Jh1.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2960 3B6B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctrsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3B6B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon\ = "C:\\ProgramData\\MNYHU2Jh1.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1 LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1\ = "MNYHU2Jh1" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1 LB3.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2872 ctrsys.exe 2872 ctrsys.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe 2792 LB3.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 2872 ctrsys.exe 2792 LB3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2872 ctrsys.exe Token: SeAssignPrimaryTokenPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeDebugPrivilege 2792 LB3.exe Token: 36 2792 LB3.exe Token: SeImpersonatePrivilege 2792 LB3.exe Token: SeIncBasePriorityPrivilege 2792 LB3.exe Token: SeIncreaseQuotaPrivilege 2792 LB3.exe Token: 33 2792 LB3.exe Token: SeManageVolumePrivilege 2792 LB3.exe Token: SeProfSingleProcessPrivilege 2792 LB3.exe Token: SeRestorePrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSystemProfilePrivilege 2792 LB3.exe Token: SeTakeOwnershipPrivilege 2792 LB3.exe Token: SeShutdownPrivilege 2792 LB3.exe Token: SeDebugPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeBackupPrivilege 2792 LB3.exe Token: SeSecurityPrivilege 2792 LB3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2872 ctrsys.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2792 2872 ctrsys.exe 32 PID 2872 wrote to memory of 2792 2872 ctrsys.exe 32 PID 2872 wrote to memory of 2792 2872 ctrsys.exe 32 PID 2872 wrote to memory of 2792 2872 ctrsys.exe 32 PID 2792 wrote to memory of 2960 2792 LB3.exe 34 PID 2792 wrote to memory of 2960 2792 LB3.exe 34 PID 2792 wrote to memory of 2960 2792 LB3.exe 34 PID 2792 wrote to memory of 2960 2792 LB3.exe 34 PID 2792 wrote to memory of 2960 2792 LB3.exe 34 PID 2960 wrote to memory of 1916 2960 3B6B.tmp 35 PID 2960 wrote to memory of 1916 2960 3B6B.tmp 35 PID 2960 wrote to memory of 1916 2960 3B6B.tmp 35 PID 2960 wrote to memory of 1916 2960 3B6B.tmp 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ctrsys.exe"C:\Users\Admin\AppData\Local\Temp\ctrsys.exe"1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\ProgramData\3B6B.tmp"C:\ProgramData\3B6B.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B6B.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD582adba94104c4d8e1ac5fdbb5dcc99a1
SHA124ec074040973324eb107707b27c15fde3e7dc11
SHA2569d6992e2e10662bd7b906cb36ae8083989de475bb8a760104d3cd6e2f35c1ca0
SHA512227b23c406690f0032e5634568b079a82d4969b88a3c38b8970e91dfc86ca5701fa3b0f24be22042fc76b254fe9d1112528235c10bc299b8c4822fbbca65a7da
-
Filesize
1KB
MD570f8acf921f004784b21982bdfb5fb9b
SHA1a5fe82b54b1da9425c680e04ac9a0ea88ff4a225
SHA256497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4
SHA51204c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084
-
Filesize
147KB
MD53a5b5579e7201ffaf0fa21ace50d47f9
SHA1da3588f43550b42238c28aa0c67716636e61940e
SHA2565218e7bb6ddf704b6578c9b37dd5312d70c667f0c2ca80c99a9f9f1ad045c10f
SHA512424ff6d85679b4baaeaa36bd7da2d068c69315a20f844824ab845cd52203bb845440e28b9136936f49b88d595ae9fe33899c5ab721e077986526ccc6be38069f
-
Filesize
129B
MD56ccb04dab0e9f3c35b56432fbaaf220b
SHA18106f3498e8cae0cd1fb5db36032bfb8fc514448
SHA256b9ed1eeb5512a12bf9932a6bfb6f6d260d780ac896c98168a1abcf555fd488e2
SHA512538beebab9266d7218b62cbc584105353fd09f35918f5932af84409bacb45d35058f232edff073283c05e006915938d4a4af02b42ac43f2538a395db3fca1d60
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD55820e728cfad98d8673d29448c58c7d5
SHA1cfe71685fd09fd14d2d2faa8618b2559438a8b1e
SHA2565ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7
SHA51228ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4