ctblocker | 8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

General

Target

8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
Size

714KB
MD5

6d83d702fad47bf24a04c4b3e2c9d930
SHA1

e706a46e3bbb821e8f4aec1f3e488be1504b855b
SHA256

8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
SHA512

62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
SSDEEP

12288:mSuYrHkpL3KyptgMzPez1OkvHj3CfL0PzGJRZLB3LE:X1kpL3KyAWPez1fD3mLIzGvZt3LE

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wmajicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://43qzvceo6ondd6wt.onion.cab or http://43qzvceo6ondd6wt.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://43qzvceo6ondd6wt.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. TAL7KOI-LVEQOPT-FUZNGTP-STQJY5V-ERBNJ6P-HXCDA7Q-JTWXYJO-VXKLDTN F6RAZB5-SHYXV6T-CSCGRJM-X5RP34E-JYIZB6L-LIORROH-HPARHSJ-5FTWZ4I E6VKFIV-RJHJTVJ-67S26Z6-KH4Q3Y2-MVVGVUT-JTAHZFD-VHSQJ63-CEKV44L Follow the instructions on the server.

URLs

http://43qzvceo6ondd6wt.onion.cab

http://43qzvceo6ondd6wt.tor2web.org

http://43qzvceo6ondd6wt.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
976	gejzibk.exe
388	gejzibk.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 976 set thread context of 388	976	gejzibk.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wmajicl.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wmajicl.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
1984	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
976	gejzibk.exe
388	gejzibk.exe
388	gejzibk.exe
388	gejzibk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	gejzibk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
976	gejzibk.exe
976	gejzibk.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1880 wrote to memory of 1984	1880	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	27
PID 1696 wrote to memory of 976	1696	taskeng.exe	29
PID 1696 wrote to memory of 976	1696	taskeng.exe	29
PID 1696 wrote to memory of 976	1696	taskeng.exe	29
PID 1696 wrote to memory of 976	1696	taskeng.exe	29
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 976 wrote to memory of 388	976	gejzibk.exe	30
PID 388 wrote to memory of 596	388	gejzibk.exe	22

C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
"C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
  C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:596

C:\Windows\system32\taskeng.exe
taskeng.exe {034E196F-D4AE-4B17-B266-3A49E64EBF08} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
  C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
    C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\qrsyusl

Filesize
654B

MD5
c43fd3c7ad31d69af2f0c77a97a1f9c6

SHA1
3c9cf858aa095239fe40cc876cd4a3c8fb43d4cf

SHA256
29d6ed797d42a997bfff44fb533a08e3ebd14b9abf38f4d7e7c2b9ef8c38583a

SHA512
c6b65b1f6c09506aa8e0e5187bfa158e579a08eca3d3b1734008210cf8906fae77e0dc1e9bfc29553e09a9b8d3a094ee8544b23b484790e992ff0b7f247d2b8d

Download Submit
C:\ProgramData\Microsoft\qrsyusl

Filesize
654B

MD5
c43fd3c7ad31d69af2f0c77a97a1f9c6

SHA1
3c9cf858aa095239fe40cc876cd4a3c8fb43d4cf

SHA256
29d6ed797d42a997bfff44fb533a08e3ebd14b9abf38f4d7e7c2b9ef8c38583a

SHA512
c6b65b1f6c09506aa8e0e5187bfa158e579a08eca3d3b1734008210cf8906fae77e0dc1e9bfc29553e09a9b8d3a094ee8544b23b484790e992ff0b7f247d2b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
memory/388-83-0x0000000028940000-0x0000000028B8B000-memory.dmp

Filesize
2.3MB

Download
memory/596-86-0x00000000005D0000-0x0000000000647000-memory.dmp

Filesize
476KB

Download
memory/596-84-0x00000000005D0000-0x0000000000647000-memory.dmp

Filesize
476KB

Download
memory/1880-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1880-63-0x0000000000300000-0x0000000000304000-memory.dmp

Filesize
16KB

Download
memory/1984-60-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1984-58-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1984-67-0x0000000028BE0000-0x0000000028E2B000-memory.dmp

Filesize
2.3MB

Download
memory/1984-65-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/1984-64-0x00000000289C0000-0x0000000028BDA000-memory.dmp

Filesize
2.1MB

Download
memory/1984-57-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1984-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing