ctblocker | aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

General

Target

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
Size

994KB
MD5

0cefce0dbbbedc5eb1febe4d85b23c71
SHA1

6aef7d5a462268c438c8417ee0da3f130b8aa84a
SHA256

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938
SHA512

1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-uqvplrh.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 6C3IHNY-F4VQY3F-5YAGJ5J-2MAPEX4-54DKIYI-AUPXLGB-B4CCDVC-BE4FO4N THYNNNX-KFXWSHY-V26PVBA-KLZOHHX-ECANY7X-LBQ74NU-57FMZLE-SHK4PTL XXM2MCV-3QMBBGF-ZXTCOBY-7AIFTQC-4K4CCBW-PRTSXLP-6774Z3V-VBM44EO Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Executes dropped EXE 2 IoCs

Processes:

wckayle.exewckayle.exe

pid process

1820 wckayle.exe
684 wckayle.exe

pid	process
1820	wckayle.exe
684	wckayle.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MountGrant.RAW.uqvplrh	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PushUnregister.RAW.uqvplrh	svchost.exe

Loads dropped DLL 1 IoCs

Processes:

wckayle.exe

pid process

1820 wckayle.exe

pid	process
1820	wckayle.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exewckayle.exe

description	pid	process	target process
PID 1688 set thread context of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1820 set thread context of 684	1820	wckayle.exe	wckayle.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-uqvplrh.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-uqvplrh.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exewckayle.exe

pid	process
760	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
684	wckayle.exe
684	wckayle.exe
684	wckayle.exe
684	wckayle.exe
684	wckayle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wckayle.exe

description pid process

Token: SeDebugPrivilege 684 wckayle.exe
Token: SeDebugPrivilege 684 wckayle.exe

description	pid	process
Token: SeDebugPrivilege	684	wckayle.exe
Token: SeDebugPrivilege	684	wckayle.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exetaskeng.exewckayle.exewckayle.exesvchost.exe

description	pid	process	target process
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1240 wrote to memory of 1820	1240	taskeng.exe	wckayle.exe
PID 1240 wrote to memory of 1820	1240	taskeng.exe	wckayle.exe
PID 1240 wrote to memory of 1820	1240	taskeng.exe	wckayle.exe
PID 1240 wrote to memory of 1820	1240	taskeng.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 1820 wrote to memory of 684	1820	wckayle.exe	wckayle.exe
PID 684 wrote to memory of 576	684	wckayle.exe	svchost.exe
PID 576 wrote to memory of 1308	576	svchost.exe	wmiprvse.exe
PID 576 wrote to memory of 1308	576	svchost.exe	wmiprvse.exe
PID 576 wrote to memory of 1308	576	svchost.exe	wmiprvse.exe
PID 576 wrote to memory of 1768	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 1768	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 1768	576	svchost.exe	DllHost.exe
PID 684 wrote to memory of 1412	684	wckayle.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:1308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1768

C:\Windows\system32\taskeng.exe
taskeng.exe {7D3B04BE-9000-4BD4-8EB3-DB1D8422DF6A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\wckayle.exe
C:\Users\Admin\AppData\Local\Temp\wckayle.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\wckayle.exe
C:\Users\Admin\AppData\Local\Temp\wckayle.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\bduhczi
MD5
3737dc6a1da4b78f4ca9780c79b056a8

SHA1
ce9eea6b2983b692fe49a1d74e90536eb3aa29cf

SHA256
6f108fff44bef589ef293c491758bc5e3706ac32959b7b29e7b8c4f5c6e4bf19

SHA512
4f62362718938ab551290b2403a69cad1947b3b6555f1c55856c40fa9ca303f3aabcf5b524e1e3ee77fab7722969a9749948dc80ce9b3e8fa4b8adcc6178b5aa

Download Submit
C:\ProgramData\Microsoft\bduhczi
MD5
6e760de5096fa5c12bf151a5c37debf3

SHA1
beb1b82a083cc0201bdd3ae78a14f0c0f71e7211

SHA256
a7cef84a0b3bd791609c150d5c9d8a551277425a8fe6e25f9b7c734272810dd4

SHA512
73b3b5f2f194f3a2d465302d391fd33c7d8287f49ea8e33738ec06be9c0e5e6d8b7bdd1767245838f31e5c1f61016f9bd9dac3a7b56792ce9ae76fb58aeb17a5

Download Submit
C:\ProgramData\Microsoft\bduhczi
MD5
a6243717d20d7d21cd61ce418ad5b29c

SHA1
d064a1a1fd2af8c54cff4233c785df43ce340c1d

SHA256
7a527fb8b966f6f133151ed68ba3335539f7882ef2a925f681634e81aa67e9ab

SHA512
f4fbe48c111967acfa94d6b3d3fc1769bfb6a51f53af21cdee5c59398db545451f6c11df297393ba77e07ee6f9b294e7acc3a7e637ecb89a15a44b14df6a198c

Download Submit
C:\ProgramData\Microsoft\bduhczi
MD5
a6243717d20d7d21cd61ce418ad5b29c

SHA1
d064a1a1fd2af8c54cff4233c785df43ce340c1d

SHA256
7a527fb8b966f6f133151ed68ba3335539f7882ef2a925f681634e81aa67e9ab

SHA512
f4fbe48c111967acfa94d6b3d3fc1769bfb6a51f53af21cdee5c59398db545451f6c11df297393ba77e07ee6f9b294e7acc3a7e637ecb89a15a44b14df6a198c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wckayle.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wckayle.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wckayle.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
\Users\Admin\AppData\Local\Temp\wckayle.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
memory/576-73-0x0000000000580000-0x00000000005F7000-memory.dmp

Filesize
476KB

Download
memory/576-74-0x0000000000580000-0x00000000005F7000-memory.dmp

Filesize
476KB

Download
memory/576-77-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/684-72-0x0000000000BD0000-0x0000000000E1B000-memory.dmp

Filesize
2.3MB

Download
memory/760-62-0x0000000000C70000-0x0000000000EBB000-memory.dmp

Filesize
2.3MB

Download
memory/760-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/760-59-0x0000000000A50000-0x0000000000C6A000-memory.dmp

Filesize
2.1MB

Download
memory/760-58-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/760-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1688-56-0x0000000000A10000-0x0000000000A30000-memory.dmp

Filesize
128KB

Download
memory/1688-55-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads