ctblocker | aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

Analysis

max time kernel
160s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
31/01/2022, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
Size

994KB
MD5

0cefce0dbbbedc5eb1febe4d85b23c71
SHA1

6aef7d5a462268c438c8417ee0da3f130b8aa84a
SHA256

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938
SHA512

1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-uqvplrh.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 6C3IHNY-F4VQY3F-5YAGJ5J-2MAPEX4-54DKIYI-AUPXLGB-B4CCDVC-BE4FO4N THYNNNX-KFXWSHY-V26PVBA-KLZOHHX-ECANY7X-LBQ74NU-57FMZLE-SHK4PTL XXM2MCV-3QMBBGF-ZXTCOBY-7AIFTQC-4K4CCBW-PRTSXLP-6774Z3V-VBM44EO Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
1820	wckayle.exe
684	wckayle.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MountGrant.RAW.uqvplrh	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PushUnregister.RAW.uqvplrh	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1820	wckayle.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1820 set thread context of 684	1820	wckayle.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-uqvplrh.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-uqvplrh.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
760	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
684	wckayle.exe
684	wckayle.exe
684	wckayle.exe
684	wckayle.exe
684	wckayle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	wckayle.exe
Token: SeDebugPrivilege	684	wckayle.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1688 wrote to memory of 760	1688	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	27
PID 1240 wrote to memory of 1820	1240	taskeng.exe	29
PID 1240 wrote to memory of 1820	1240	taskeng.exe	29
PID 1240 wrote to memory of 1820	1240	taskeng.exe	29
PID 1240 wrote to memory of 1820	1240	taskeng.exe	29
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 1820 wrote to memory of 684	1820	wckayle.exe	30
PID 684 wrote to memory of 576	684	wckayle.exe	25
PID 576 wrote to memory of 1308	576	svchost.exe	32
PID 576 wrote to memory of 1308	576	svchost.exe	32
PID 576 wrote to memory of 1308	576	svchost.exe	32
PID 576 wrote to memory of 1768	576	svchost.exe	33
PID 576 wrote to memory of 1768	576	svchost.exe	33
PID 576 wrote to memory of 1768	576	svchost.exe	33
PID 684 wrote to memory of 1412	684	wckayle.exe	14

C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
  "C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:1308
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1768

C:\Windows\system32\taskeng.exe
taskeng.exe {7D3B04BE-9000-4BD4-8EB3-DB1D8422DF6A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\wckayle.exe
  C:\Users\Admin\AppData\Local\Temp\wckayle.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\wckayle.exe
    C:\Users\Admin\AppData\Local\Temp\wckayle.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-73-0x0000000000580000-0x00000000005F7000-memory.dmp

Filesize
476KB

Download
memory/576-74-0x0000000000580000-0x00000000005F7000-memory.dmp

Filesize
476KB

Download
memory/576-77-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/684-72-0x0000000000BD0000-0x0000000000E1B000-memory.dmp

Filesize
2.3MB

Download
memory/760-62-0x0000000000C70000-0x0000000000EBB000-memory.dmp

Filesize
2.3MB

Download
memory/760-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/760-59-0x0000000000A50000-0x0000000000C6A000-memory.dmp

Filesize
2.1MB

Download
memory/760-58-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/760-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1688-56-0x0000000000A10000-0x0000000000A30000-memory.dmp

Filesize
128KB

Download
memory/1688-55-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download