Analysis
-
max time kernel
100s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 08:49
Static task
static1
Behavioral task
behavioral1
Sample
ctrsys.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ctrsys.exe
Resource
win10v2004-20240802-en
General
-
Target
ctrsys.exe
-
Size
183KB
-
MD5
3870e4591ce517d956771e23c361582d
-
SHA1
28d09d35d3e5a8490ef4a4ebaa36262fa411afba
-
SHA256
2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d
-
SHA512
61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1
-
SSDEEP
3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh
Malware Config
Extracted
C:\MNYHU2Jh1.README.txt
https://coinatmradar.com
https://www.moonpay.com/buy
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234a2-18.dat family_lockbit -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (615) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation ctrsys.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation FC62.tmp -
Executes dropped EXE 2 IoCs
pid Process 4708 LB3.exe 5720 FC62.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdate\\JavaUpdate.exe" ctrsys.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 checkip.dyndns.org -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPyzppyon4h4q0by1dcwfsciv0c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPillleds2tr03fsgh60nfu2qzc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP3go0xj0t61ptk9926990xds3c.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MNYHU2Jh1.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MNYHU2Jh1.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5720 FC62.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctrsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FC62.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1 LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1\ = "MNYHU2Jh1" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1 LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon\ = "C:\\ProgramData\\MNYHU2Jh1.ico" LB3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5004 ctrsys.exe 5004 ctrsys.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe 4708 LB3.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 5004 ctrsys.exe 4708 LB3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5004 ctrsys.exe Token: SeAssignPrimaryTokenPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeDebugPrivilege 4708 LB3.exe Token: 36 4708 LB3.exe Token: SeImpersonatePrivilege 4708 LB3.exe Token: SeIncBasePriorityPrivilege 4708 LB3.exe Token: SeIncreaseQuotaPrivilege 4708 LB3.exe Token: 33 4708 LB3.exe Token: SeManageVolumePrivilege 4708 LB3.exe Token: SeProfSingleProcessPrivilege 4708 LB3.exe Token: SeRestorePrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSystemProfilePrivilege 4708 LB3.exe Token: SeTakeOwnershipPrivilege 4708 LB3.exe Token: SeShutdownPrivilege 4708 LB3.exe Token: SeDebugPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeBackupPrivilege 4708 LB3.exe Token: SeSecurityPrivilege 4708 LB3.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 5004 ctrsys.exe 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE 5676 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4708 5004 ctrsys.exe 97 PID 5004 wrote to memory of 4708 5004 ctrsys.exe 97 PID 5004 wrote to memory of 4708 5004 ctrsys.exe 97 PID 4708 wrote to memory of 5268 4708 LB3.exe 99 PID 4708 wrote to memory of 5268 4708 LB3.exe 99 PID 5556 wrote to memory of 5676 5556 printfilterpipelinesvc.exe 105 PID 5556 wrote to memory of 5676 5556 printfilterpipelinesvc.exe 105 PID 4708 wrote to memory of 5720 4708 LB3.exe 106 PID 4708 wrote to memory of 5720 4708 LB3.exe 106 PID 4708 wrote to memory of 5720 4708 LB3.exe 106 PID 4708 wrote to memory of 5720 4708 LB3.exe 106 PID 5720 wrote to memory of 5952 5720 FC62.tmp 107 PID 5720 wrote to memory of 5952 5720 FC62.tmp 107 PID 5720 wrote to memory of 5952 5720 FC62.tmp 107 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ctrsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ctrsys.exe"C:\Users\Admin\AppData\Local\Temp\ctrsys.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\LB3.exe"C:\Users\Admin\AppData\Local\Temp\LB3.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
PID:5268
-
-
C:\ProgramData\FC62.tmp"C:\ProgramData\FC62.tmp"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FC62.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:5952
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5212
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{19A05935-9563-4B23-AD07-587802B9807F}.xps" 1336861738625600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5676
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5939bf0f3d77c8f77dcf28ea225dc58d8
SHA153558dbf17160720bd4746152235aa5ca021c266
SHA2565c306a8c5ee2ceb494a2e5ef01eb781cc5e9e2fc9d7de7f35e484953c499ddfd
SHA512dbf13ed6c67ead377a7669d9b632cb5c0431a1e1515c30a9768875d884910b9b372b06994712a6f0f86326c668623b2a407c05518e375a69b7f4eb7e1a7c6f69
-
Filesize
1KB
MD570f8acf921f004784b21982bdfb5fb9b
SHA1a5fe82b54b1da9425c680e04ac9a0ea88ff4a225
SHA256497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4
SHA51204c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD55820e728cfad98d8673d29448c58c7d5
SHA1cfe71685fd09fd14d2d2faa8618b2559438a8b1e
SHA2565ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7
SHA51228ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4
-
Filesize
147KB
MD5095a563b46f19b64a8ef6bf4149ce1a6
SHA1ca7171510ff66a3b554ef83a3255554c6cc3490a
SHA256a3a6bddb409217e6c8e937aae863b6e8b4d9761ecd9a21ff87f6d9924d741723
SHA512aaba50dc4b407b2a4375b71e6d3b12f0471ee313a205a85e0f1e429af71c15cdcc6caabcc792f32efb3231e7e9f4033c275b85247ee3fa54d67622a9dc5dbd6a
-
Filesize
4KB
MD509c46a58b453a350184e471cba3f1fcb
SHA1164fbbed4164934f4ba35042d8c89ae896f393b8
SHA25639334db5e3beea21dce4c259d798c2d19a9164c0d89db8cb9459494019ea239c
SHA51272af18cb28da30298d9b933ddd7ac37e824e40d8bd014f4d9fc250d9571e024ddde97b2de0dc629bcecd20453839cb2c5607b7b97ef960b7407f75797ab27ce8
-
Filesize
4KB
MD5902bb0f7a2dae26b8dc30d7efef61898
SHA113ec079b31d88e95e97bef1104d7ef79cff9f2ef
SHA2560b7a69b64676e4288c9fefb8122996f0faa646092248efa063eb3d8e94802e66
SHA5129b43bf5ea3ab750201c66ac26c51e38d80974706b3c83f853c79a3d2cbc0421b427ac6af86dfc40e32a05cba9c8eb5370e362d526b3ef090fd52b510531ca896
-
Filesize
129B
MD59b32c1a7c7a5986b79eb23ef17ca9c27
SHA120a72f7ea88f6f554631c0d61496a597f63c4039
SHA256a7783a7658d7b8e98d503e12953ee22d3df7860e26cad7f2e6644bf9e43d1606
SHA51204f3dc57d01d667afa9cb999a7d597cb57a0fa4c96744a67f406c1d329b649c2ff94e162beb75dc91d5e079053e6bb9f5ed0cc38aba05b5724585cf41bcd9d6c