ctblocker | 75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e

General

Target

75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
Size

815KB
MD5

678d3c068832953f7adc0abdc538e320
SHA1

f3283eada70ba0362e9617706272f83f0524b7a1
SHA256

75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e
SHA512

9658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6
SSDEEP

12288:XGKVawDC8239wUoGtTvtcAEvNThLDlB1l4TcPPN9vegW37blQ06QOtG6aZQx:2KV6tt/Xa3hhLz1l4TK27rblQHQOt7x

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. MW6QKHZ-3LKZI6H-7WQS5Q2-5YAZ2VC-TLJU3FA-GJVDQJR-HQMK6SL-Y5Q3635 I67TO2G-WGQ2NWH-2TDJCJG-F5QBLCZ-CEZWQKB-MPWLIWX-J5D3AD7-MGZ3Z4V 2TQX3M2-UKDGGHN-GN2EIZL-ZNAVQEI-J367FBK-GCXEZ2B-PGEGMEG-BZWZYH4 Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-bgefhdd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. MW6QKHZ-3LKZI6H-7WQS5Q2-5YAZ2VC-TLJU3FA-GJVDQJR-HQMK6SL-Y5Q3635 I67TO2G-WGQ2NWH-2TDJCJG-F5QBLCZ-CEZWQKB-MPWLIWX-J5D3AD7-MGZ3Z4V 2TQX3M2-UKDGGHN-GN2EIZL-ZNAVQEI-J367DXK-4EXEZ2B-PGEGMEG-BZWZCTJ Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

hlahqcg.exehlahqcg.exe

pid process

1112 hlahqcg.exe
1604 hlahqcg.exe

pid	process
1112	hlahqcg.exe
1604	hlahqcg.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MergeReset.CRW.bgefhdd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CopyCheckpoint.RAW.bgefhdd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DenyAssert.CRW.bgefhdd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExpandImport.CRW.bgefhdd	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hlahqcg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation hlahqcg.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	hlahqcg.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-bgefhdd.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-bgefhdd.bmp	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1608 vssadmin.exe

pid	process
1608	vssadmin.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00380030003300310061006600650034002d0031006100380032002d0031003100650064002d0061003000380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exehlahqcg.exe

pid	process
1388	75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe
1112	hlahqcg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

hlahqcg.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1112 hlahqcg.exe
Token: SeDebugPrivilege 1112 hlahqcg.exe
Token: SeShutdownPrivilege 1396 Explorer.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

hlahqcg.exe

pid process

1604 hlahqcg.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

hlahqcg.exe

pid process

1604 hlahqcg.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hlahqcg.exe

pid process

1604 hlahqcg.exe
1604 hlahqcg.exe

description	pid	process
Token: SeDebugPrivilege	1112	hlahqcg.exe
Token: SeDebugPrivilege	1112	hlahqcg.exe
Token: SeShutdownPrivilege	1396	Explorer.EXE

pid	process
1604	hlahqcg.exe

pid	process
1604	hlahqcg.exe

pid	process
1604	hlahqcg.exe
1604	hlahqcg.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

taskeng.exehlahqcg.exesvchost.exe

description	pid	process	target process
PID 1324 wrote to memory of 1112	1324	taskeng.exe	hlahqcg.exe
PID 1324 wrote to memory of 1112	1324	taskeng.exe	hlahqcg.exe
PID 1324 wrote to memory of 1112	1324	taskeng.exe	hlahqcg.exe
PID 1324 wrote to memory of 1112	1324	taskeng.exe	hlahqcg.exe
PID 1112 wrote to memory of 596	1112	hlahqcg.exe	svchost.exe
PID 596 wrote to memory of 580	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 580	596	svchost.exe	DllHost.exe
PID 596 wrote to memory of 580	596	svchost.exe	DllHost.exe
PID 1112 wrote to memory of 1396	1112	hlahqcg.exe	Explorer.EXE
PID 1112 wrote to memory of 1608	1112	hlahqcg.exe	vssadmin.exe
PID 1112 wrote to memory of 1608	1112	hlahqcg.exe	vssadmin.exe
PID 1112 wrote to memory of 1608	1112	hlahqcg.exe	vssadmin.exe
PID 1112 wrote to memory of 1608	1112	hlahqcg.exe	vssadmin.exe
PID 1112 wrote to memory of 1604	1112	hlahqcg.exe	hlahqcg.exe
PID 1112 wrote to memory of 1604	1112	hlahqcg.exe	hlahqcg.exe
PID 1112 wrote to memory of 1604	1112	hlahqcg.exe	hlahqcg.exe
PID 1112 wrote to memory of 1604	1112	hlahqcg.exe	hlahqcg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe
"C:\Users\Admin\AppData\Local\Temp\75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:580

C:\Windows\system32\taskeng.exe
taskeng.exe {04FA8D7F-2642-463E-905D-A34925692CC1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:1608

C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
"C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe" -u
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\epmlysm
Filesize
654B

MD5
7e40f407a295b6c6882eba9625ac1aad

SHA1
c2d3588fee39f524d57fab31d48b585cc4f6db68

SHA256
cb9dd01a0f665c76f3fb0fd8a528076fff33b225feefee1cb60e5cae98eddc83

SHA512
235751218b3b11aa45e7cbf822c63a0ed157d7f723a7cebbeb18ef79a514ac9bcddbdc9de5238ce36681fff64f075c57e110dad776501967010f4b412af897ee

Download Submit
C:\ProgramData\Package Cache\epmlysm
Filesize
654B

MD5
7e40f407a295b6c6882eba9625ac1aad

SHA1
c2d3588fee39f524d57fab31d48b585cc4f6db68

SHA256
cb9dd01a0f665c76f3fb0fd8a528076fff33b225feefee1cb60e5cae98eddc83

SHA512
235751218b3b11aa45e7cbf822c63a0ed157d7f723a7cebbeb18ef79a514ac9bcddbdc9de5238ce36681fff64f075c57e110dad776501967010f4b412af897ee

Download Submit
C:\ProgramData\Package Cache\epmlysm
Filesize
654B

MD5
6cefa17faccd9b5cf562ba2fd2a2b305

SHA1
35f53e863c975929c0fccae79771e03e62058b23

SHA256
bd891f5541b937502a8bafa94dba03740c37490aba8697bc34c431bec2f32d00

SHA512
fcfc2638bbaa431787e671aa7052745bd09f6f3066bcbe66a519e1513dc757a95cdba847a63383fb8c1e32ebf18554aad7e8a4325e8804e659929f8b37095df3

Download Submit
C:\ProgramData\Package Cache\epmlysm
Filesize
654B

MD5
6cefa17faccd9b5cf562ba2fd2a2b305

SHA1
35f53e863c975929c0fccae79771e03e62058b23

SHA256
bd891f5541b937502a8bafa94dba03740c37490aba8697bc34c431bec2f32d00

SHA512
fcfc2638bbaa431787e671aa7052745bd09f6f3066bcbe66a519e1513dc757a95cdba847a63383fb8c1e32ebf18554aad7e8a4325e8804e659929f8b37095df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
Filesize
815KB

MD5
678d3c068832953f7adc0abdc538e320

SHA1
f3283eada70ba0362e9617706272f83f0524b7a1

SHA256
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e

SHA512
9658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
Filesize
815KB

MD5
678d3c068832953f7adc0abdc538e320

SHA1
f3283eada70ba0362e9617706272f83f0524b7a1

SHA256
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e

SHA512
9658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
Filesize
815KB

MD5
678d3c068832953f7adc0abdc538e320

SHA1
f3283eada70ba0362e9617706272f83f0524b7a1

SHA256
75b22b4ad62ae7c446d97bef05e57852fac262844963b49b2fea3ab197dacf6e

SHA512
9658c0ab87f96210d6cce95a1f7fcf6cfa3fff4264603bd80a0db567e42506e7a20ec7f39d21b734b4eba9b4b396bd9a140de495e73e39939f30b5b551770ba6

Download Submit
memory/580-69-0x0000000000000000-mapping.dmp

Download
memory/596-66-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/596-64-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/596-70-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1112-63-0x0000000001020000-0x000000000126B000-memory.dmp

Filesize
2.3MB

Download
memory/1112-59-0x0000000000000000-mapping.dmp

Download
memory/1388-57-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/1388-56-0x0000000002450000-0x000000000269B000-memory.dmp

Filesize
2.3MB

Download
memory/1388-55-0x0000000002230000-0x000000000244A000-memory.dmp

Filesize
2.1MB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1604-77-0x0000000000000000-mapping.dmp

Download
memory/1604-81-0x0000000002470000-0x00000000026BB000-memory.dmp

Filesize
2.3MB

Download
memory/1608-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads