ctblocker | 5fe4e659c4bd91aec2a126c8f74b01b37d6ffc6701657c93d193decfe19834d0

General

Target

report-order-tracking-genereted-auto-gls.exe
Size

248KB
MD5

d8704f06cb0813c2cbb543b95fda51ce
SHA1

987886e485ecf443002159065411e42cb0dfc264
SHA256

39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
SHA512

473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
SSDEEP

3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-nntdmzk.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. VKJJSDN-IL6WJJI-TL4674V-UPHGP46-A2SCG3M-PF565E2-4N23WYZ-JGQY7PS K72QVPO-A4DAJQE-JVUZUFJ-PVY63L6-YQUQCOI-IUFWAI2-6SEA662-V3FWWB4 PVYIT23-ZYRSNH3-RNGFFFH-KEJKZSR-MD5ULE7-35HCD3I-MFMW4RZ-BBTW65T Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
1172	vhbumzm.exe
1052	vhbumzm.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SearchEnter.RAW.nntdmzk	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\WaitFind.RAW.nntdmzk	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CopyPing.CRW.nntdmzk	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1172 set thread context of 1052	1172	vhbumzm.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-nntdmzk.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-nntdmzk.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1900	report-order-tracking-genereted-auto-gls.exe
1052	vhbumzm.exe
1052	vhbumzm.exe
1052	vhbumzm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	vhbumzm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1516	report-order-tracking-genereted-auto-gls.exe
1172	vhbumzm.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 1516 wrote to memory of 1900	1516	report-order-tracking-genereted-auto-gls.exe	28
PID 748 wrote to memory of 1172	748	taskeng.exe	30
PID 748 wrote to memory of 1172	748	taskeng.exe	30
PID 748 wrote to memory of 1172	748	taskeng.exe	30
PID 748 wrote to memory of 1172	748	taskeng.exe	30
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1172 wrote to memory of 1052	1172	vhbumzm.exe	31
PID 1052 wrote to memory of 580	1052	vhbumzm.exe	24
PID 580 wrote to memory of 676	580	svchost.exe	32
PID 580 wrote to memory of 676	580	svchost.exe	32
PID 580 wrote to memory of 676	580	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe
"C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe
  "C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:676

C:\Windows\system32\taskeng.exe
taskeng.exe {FB342D3B-9111-4871-A031-3BB7A997FA59} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
    "C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\jbnjrvg

Filesize
654B

MD5
0a2ffd6076494686b93100a061ff8783

SHA1
813c020e41027017e30871234d73ede354c3f54b

SHA256
908617fb9cada02ecf62cdef4effc915e0de7848057cd27e781c2b0b45e394f9

SHA512
10021095120889f6493bab41987646f8a783b56538f8b49f60f5456ae2df1038a50f488864266f7f0afb941fb3b65258c74179a1a9db7208c01955366c21f6ee

Download Submit
C:\ProgramData\Microsoft Help\jbnjrvg

Filesize
654B

MD5
0a2ffd6076494686b93100a061ff8783

SHA1
813c020e41027017e30871234d73ede354c3f54b

SHA256
908617fb9cada02ecf62cdef4effc915e0de7848057cd27e781c2b0b45e394f9

SHA512
10021095120889f6493bab41987646f8a783b56538f8b49f60f5456ae2df1038a50f488864266f7f0afb941fb3b65258c74179a1a9db7208c01955366c21f6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
memory/580-83-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/580-81-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/1900-65-0x00000000005B0000-0x00000000006E3000-memory.dmp

Filesize
1.2MB

Download
memory/1900-64-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1900-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-63-0x0000000000400000-0x0000000000426E00-memory.dmp

Filesize
155KB

Download
memory/1900-62-0x00000000004A0000-0x00000000005A2000-memory.dmp

Filesize
1.0MB

Download
memory/1900-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1900-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing