ctblocker | 9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f

General

Target

9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f.exe
Size

983KB
MD5

ad6b7c6d77ddb7ad5c0e13f286405573
SHA1

e18a27bb4ee24f867e529abad2e33bb4eefa0af7
SHA256

9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f
SHA512

b30258566577ee9cc703b550906c8981e3e11b173c7d178bf828c3be689e470c04b8fa557bce66d0040c1b2cdcd5e2d42df73dfec1532d1f72125eecc5ab1893
SSDEEP

24576:YtJTII35v4k8q3x6bids2LBpqWWLhz+ftN+LClZb:YtJTII35v4UU2LFWXLCHb

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-icogzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kurrmpfx6kgmsopm.onion.cab or http://kurrmpfx6kgmsopm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. MXDBZ7E-5J3SE4K-WF7OUSA-JZSLYT3-342YJLA-KS7BXCL-LADPQB6-VCQXNWU YFTF4FU-532IX6M-6I7EFRW-W576WHP-TO2SRFB-4JENJ57-63RVC7W-UT4J4RV IKOUZK7-FSXUXTH-2FW3QMY-WH2FAGK-7NAI64C-4QDQBYV-2MVHM2V-4OMZ64G Follow the instructions on the server.

URLs

http://kurrmpfx6kgmsopm.onion.cab

http://kurrmpfx6kgmsopm.tor2web.org

http://kurrmpfx6kgmsopm.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-icogzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kurrmpfx6kgmsopm.onion.cab or http://kurrmpfx6kgmsopm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. MXDBZ7E-5J3SE4K-WF7OUSA-JZSLYT3-342YJLA-KS7BXCL-LADPQB6-VCQXNWU YFTF4FU-532IX6M-6I7EFRW-W576WHP-TO2SRFB-4JENJ57-63RVC7W-UT4J4RV IKOUZK7-FSXUXTH-2FW3QMY-WH2FAGK-7NAIEOC-IIDQBYV-2MVHM2V-4OMZCXO Follow the instructions on the server.

URLs

http://kurrmpfx6kgmsopm.onion.cab

http://kurrmpfx6kgmsopm.tor2web.org

http://kurrmpfx6kgmsopm.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kurrmpfx6kgmsopm.onion.cab or http://kurrmpfx6kgmsopm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://kurrmpfx6kgmsopm.onion.cab

http://kurrmpfx6kgmsopm.tor2web.org

http://kurrmpfx6kgmsopm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1000	pdfisga.exe
2024	pdfisga.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExportSync.CRW.icogzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\RepairSuspend.RAW.icogzxi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdfisga.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-icogzxi.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-icogzxi.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-icogzxi.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1060	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	pdfisga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pdfisga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pdfisga.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1716	9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe
1000	pdfisga.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1224	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	pdfisga.exe
Token: SeDebugPrivilege	1000	pdfisga.exe
Token: SeShutdownPrivilege	1224	Explorer.EXE
Token: SeShutdownPrivilege	1224	Explorer.EXE
Token: SeShutdownPrivilege	1224	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	pdfisga.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2024	pdfisga.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	pdfisga.exe
2024	pdfisga.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1224	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1000	1356	taskeng.exe	28
PID 1356 wrote to memory of 1000	1356	taskeng.exe	28
PID 1356 wrote to memory of 1000	1356	taskeng.exe	28
PID 1356 wrote to memory of 1000	1356	taskeng.exe	28
PID 1000 wrote to memory of 588	1000	pdfisga.exe	19
PID 588 wrote to memory of 1784	588	svchost.exe	29
PID 588 wrote to memory of 1784	588	svchost.exe	29
PID 588 wrote to memory of 1784	588	svchost.exe	29
PID 1000 wrote to memory of 1224	1000	pdfisga.exe	10
PID 1000 wrote to memory of 1060	1000	pdfisga.exe	30
PID 1000 wrote to memory of 1060	1000	pdfisga.exe	30
PID 1000 wrote to memory of 1060	1000	pdfisga.exe	30
PID 1000 wrote to memory of 1060	1000	pdfisga.exe	30
PID 1000 wrote to memory of 2024	1000	pdfisga.exe	32
PID 1000 wrote to memory of 2024	1000	pdfisga.exe	32
PID 1000 wrote to memory of 2024	1000	pdfisga.exe	32
PID 1000 wrote to memory of 2024	1000	pdfisga.exe	32
PID 588 wrote to memory of 1620	588	svchost.exe	33
PID 588 wrote to memory of 1620	588	svchost.exe	33
PID 588 wrote to memory of 1620	588	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1224
- C:\Users\Admin\AppData\Local\Temp\9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f.exe
  "C:\Users\Admin\AppData\Local\Temp\9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1784
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1620

C:\Windows\system32\taskeng.exe
taskeng.exe {06E3791B-F003-4F06-9345-C812C4225DFE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
    "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\xptppml

Filesize
654B

MD5
bf85caa3c19e9669ad22de02d7e6525f

SHA1
276f104a07570d10aebe01058c8678bb6bdf60e2

SHA256
9e356264fe7c7dfdfacef14acec160729577e8a086a59ee9a82c61271cf1de7e

SHA512
546f85329f428ebbbcf376139fa6f069af4209c6dd31b96e5ab7bbd66b7674d0541b0ffbfeaac032f18dc599394c9b168c7fd9022379ac7ea0fe8e62c2e44351

Download Submit
C:\ProgramData\Package Cache\xptppml

Filesize
654B

MD5
bf85caa3c19e9669ad22de02d7e6525f

SHA1
276f104a07570d10aebe01058c8678bb6bdf60e2

SHA256
9e356264fe7c7dfdfacef14acec160729577e8a086a59ee9a82c61271cf1de7e

SHA512
546f85329f428ebbbcf376139fa6f069af4209c6dd31b96e5ab7bbd66b7674d0541b0ffbfeaac032f18dc599394c9b168c7fd9022379ac7ea0fe8e62c2e44351

Download Submit
C:\ProgramData\Package Cache\xptppml

Filesize
654B

MD5
98808b11ff80325babf1c8c060e3f910

SHA1
79edcbe2040a1783fd7ba530017a0d9402d969c7

SHA256
2a448b67ff9b77a97071f96847aca55f362048ff1b2416e1417350cf2ed9804c

SHA512
d706f6edf1a9ed6300930f3edd203862bfb8412d5e456cda904c1d640760563c12918d83264b63263f2ff6b0bc35018e4ddb691642167a713b26674dde8d1bb6

Download Submit
C:\ProgramData\Package Cache\xptppml

Filesize
654B

MD5
98808b11ff80325babf1c8c060e3f910

SHA1
79edcbe2040a1783fd7ba530017a0d9402d969c7

SHA256
2a448b67ff9b77a97071f96847aca55f362048ff1b2416e1417350cf2ed9804c

SHA512
d706f6edf1a9ed6300930f3edd203862bfb8412d5e456cda904c1d640760563c12918d83264b63263f2ff6b0bc35018e4ddb691642167a713b26674dde8d1bb6

Download Submit
C:\ProgramData\zlwdkgg.html

Filesize
63KB

MD5
db5ec21103943264fcea5bfdc9489b32

SHA1
e9a47075234e445471c701d916d1f0dc0c8f7256

SHA256
685840707d0aea7c021de8c0936ce356a1d3ba83b2462eb155c28a15168b9ef0

SHA512
3606f939cacc607600e2500101d74db1e207bb40e7508c0ec4a9bc015962e14c92db0ee2037dd57db659cdedf25c5dd76b83b0009a26c63b815f186552c8378c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
983KB

MD5
ad6b7c6d77ddb7ad5c0e13f286405573

SHA1
e18a27bb4ee24f867e529abad2e33bb4eefa0af7

SHA256
9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f

SHA512
b30258566577ee9cc703b550906c8981e3e11b173c7d178bf828c3be689e470c04b8fa557bce66d0040c1b2cdcd5e2d42df73dfec1532d1f72125eecc5ab1893

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
983KB

MD5
ad6b7c6d77ddb7ad5c0e13f286405573

SHA1
e18a27bb4ee24f867e529abad2e33bb4eefa0af7

SHA256
9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f

SHA512
b30258566577ee9cc703b550906c8981e3e11b173c7d178bf828c3be689e470c04b8fa557bce66d0040c1b2cdcd5e2d42df73dfec1532d1f72125eecc5ab1893

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
983KB

MD5
ad6b7c6d77ddb7ad5c0e13f286405573

SHA1
e18a27bb4ee24f867e529abad2e33bb4eefa0af7

SHA256
9a044402863ec949deba6c91e6a12316281d35e824230a13dc4ca4404b95698f

SHA512
b30258566577ee9cc703b550906c8981e3e11b173c7d178bf828c3be689e470c04b8fa557bce66d0040c1b2cdcd5e2d42df73dfec1532d1f72125eecc5ab1893

Download Submit
memory/588-71-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/588-65-0x0000000000460000-0x00000000004D7000-memory.dmp

Filesize
476KB

Download
memory/588-67-0x0000000000460000-0x00000000004D7000-memory.dmp

Filesize
476KB

Download
memory/1000-64-0x0000000000E10000-0x000000000105B000-memory.dmp

Filesize
2.3MB

Download
memory/1716-57-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1716-56-0x0000000002460000-0x00000000026AB000-memory.dmp

Filesize
2.3MB

Download
memory/1716-58-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1716-55-0x0000000002240000-0x000000000245A000-memory.dmp

Filesize
2.1MB

Download
memory/1716-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/2024-82-0x0000000002480000-0x00000000026CB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads