ctblocker | a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

General

Target

a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
Size

1012KB
MD5

d9687bcc9a27bcd0f13b9582edb06f67
SHA1

a74a952457d1bc2edb9d459852fe823615870f60
SHA256

a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92
SHA512

c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769
SSDEEP

12288:b5r+zclYhHS4xovm4+l+9qzezjhGfqlmTlKb37NTXivuzV+2ZrPhnqyPqFjFMuMX:b1+E0SmUafqGlKj7NbivuM2ZrJCjN8

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ojkdmzk.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 4JMOTVD-UWYB7TR-FVIQFZB-IA67GPU-L57SAR6-TPRPRFV-REFDO2S-4AYS7LK ZJXJCOH-UDJDMBU-H5ZALGU-JCMQ3UO-HISXZJV-IZE7VWE-7SJ7YRP-GNJDBIF VH4VATS-UENATDV-73WKAK3-PVHFCKV-E74UPLI-MB4NOIZ-2QCXNY3-YQ33D5E Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
1320	vhbumzm.exe
1860	vhbumzm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 1320 set thread context of 1860	1320	vhbumzm.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ojkdmzk.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ojkdmzk.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
328	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
1860	vhbumzm.exe
1860	vhbumzm.exe
1860	vhbumzm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	vhbumzm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 2028 wrote to memory of 328	2028	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	28
PID 680 wrote to memory of 1320	680	taskeng.exe	30
PID 680 wrote to memory of 1320	680	taskeng.exe	30
PID 680 wrote to memory of 1320	680	taskeng.exe	30
PID 680 wrote to memory of 1320	680	taskeng.exe	30
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1320 wrote to memory of 1860	1320	vhbumzm.exe	31
PID 1860 wrote to memory of 596	1860	vhbumzm.exe	24

C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
"C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
  "C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:596

C:\Windows\system32\taskeng.exe
taskeng.exe {CE2B92BB-8815-45E6-81A6-B36E7E86CC97} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
    C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\jbnjrvg

Filesize
654B

MD5
909bc6c5876d5400928ff7534d5faf7d

SHA1
35397b7e43d85816dc39488cb01ec8c019b0695b

SHA256
55964de0cf8e7c101a2b82aeacb2ea5c8b9b8e80a3e39c1a190bc3316bda677c

SHA512
64c2ce09837fc5e5acdbbe2bc26208be542e7bd2bd039a50878afca6321a767456be4ef2126199668cfd04cad1afeee05e06ec54a4d77ef89d84e9a9f55211f7

Download Submit
C:\ProgramData\Microsoft\jbnjrvg

Filesize
654B

MD5
909bc6c5876d5400928ff7534d5faf7d

SHA1
35397b7e43d85816dc39488cb01ec8c019b0695b

SHA256
55964de0cf8e7c101a2b82aeacb2ea5c8b9b8e80a3e39c1a190bc3316bda677c

SHA512
64c2ce09837fc5e5acdbbe2bc26208be542e7bd2bd039a50878afca6321a767456be4ef2126199668cfd04cad1afeee05e06ec54a4d77ef89d84e9a9f55211f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
memory/328-66-0x0000000000990000-0x0000000000BDB000-memory.dmp

Filesize
2.3MB

Download
memory/328-58-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/328-63-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/328-64-0x0000000000770000-0x000000000098A000-memory.dmp

Filesize
2.1MB

Download
memory/328-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/328-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/596-84-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/596-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1320-76-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-81-0x00000000006D0000-0x000000000091B000-memory.dmp

Filesize
2.3MB

Download
memory/2028-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/2028-56-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-62-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing