ctblocker | 39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

General

Target

39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
Size

248KB
MD5

d8704f06cb0813c2cbb543b95fda51ce
SHA1

987886e485ecf443002159065411e42cb0dfc264
SHA256

39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
SHA512

473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
SSDEEP

3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-xnnwmsb.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 46D63G4-WLXEWNB-CDR34TN-I6RY6FY-RJBAI4K-SCS66NH-2VLL4O6-K5ACUA4 4UDHIIS-LPTFVC2-XDMU4GS-CDDBK2B-ZQWKXN5-LKC6SHL-UL6P25D-COMBR62 C4D37HM-FCQDWBB-WXTOKMQ-QMW65BD-43PYRB5-RAGTRMM-CBKNLRD-ESDKFDB Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
1500	obvnomb.exe
1664	obvnomb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1500 set thread context of 1664	1500	obvnomb.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-xnnwmsb.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-xnnwmsb.txt	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1616	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
1664	obvnomb.exe
1664	obvnomb.exe
1664	obvnomb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	obvnomb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
1500	obvnomb.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1628 wrote to memory of 1616	1628	39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe	28
PID 1260 wrote to memory of 1500	1260	taskeng.exe	30
PID 1260 wrote to memory of 1500	1260	taskeng.exe	30
PID 1260 wrote to memory of 1500	1260	taskeng.exe	30
PID 1260 wrote to memory of 1500	1260	taskeng.exe	30
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1500 wrote to memory of 1664	1500	obvnomb.exe	31
PID 1664 wrote to memory of 584	1664	obvnomb.exe	26

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:584

C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
"C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe
  "C:\Users\Admin\AppData\Local\Temp\39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {7D066F29-BDA6-479C-9857-56534F0AD18F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
  C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
    "C:\Users\Admin\AppData\Local\Temp\obvnomb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\lvixnfh

Filesize
654B

MD5
6dfdb8331846fdf682c847ed2095facf

SHA1
be60599b1894feae809ef8038ad22f1ebca3bf08

SHA256
fee00d75a6efd0a74e7e48ec2615543f25a6dc99c7488e23bbe195b0a3e5b823

SHA512
75309136fc59d1e04fa00789981728579b106fba5bd1d93e5c4cdc3b2e70abb484ac6b44693c9bffcc8f7d5b546efccd175583c766f7be4bb853bc9072eb710d

Download Submit
C:\ProgramData\Microsoft Help\lvixnfh

Filesize
654B

MD5
6dfdb8331846fdf682c847ed2095facf

SHA1
be60599b1894feae809ef8038ad22f1ebca3bf08

SHA256
fee00d75a6efd0a74e7e48ec2615543f25a6dc99c7488e23bbe195b0a3e5b823

SHA512
75309136fc59d1e04fa00789981728579b106fba5bd1d93e5c4cdc3b2e70abb484ac6b44693c9bffcc8f7d5b546efccd175583c766f7be4bb853bc9072eb710d

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
memory/584-83-0x00000000003F0000-0x0000000000467000-memory.dmp

Filesize
476KB

Download
memory/584-81-0x00000000003F0000-0x0000000000467000-memory.dmp

Filesize
476KB

Download
memory/1616-62-0x00000000004A0000-0x00000000005A2000-memory.dmp

Filesize
1.0MB

Download
memory/1616-63-0x0000000000400000-0x0000000000426E00-memory.dmp

Filesize
155KB

Download
memory/1616-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1616-65-0x00000000005B0000-0x00000000006E3000-memory.dmp

Filesize
1.2MB

Download
memory/1616-64-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1616-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1616-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1664-80-0x0000000000430000-0x0000000000563000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing