ctblocker | 9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe
Size

742KB
MD5

39c0e005cd2892a7b315081f9db6dc37
SHA1

e9c2dda548ca0f53939d8bbf9228a92977964341
SHA256

9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62
SHA512

e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e
SSDEEP

12288:T2359uMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:S5p126wFn8KL8tz4MZHVLJtimSimHROY

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-fpcelmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EJ23DKV-3ULGU5C-DZKZNYN-FMGPYLO-5BBNB3V-3F6GKAV-LOV7G37-WEGG74F VBH25TC-AHM5SXN-JSBJO64-NF56BJF-WHOYQDY-EODMLAC-ZNDKZYW-6LL5AAX SI4XGSP-NXCK3IW-I6LRE3U-JNXHAZD-HHIABSD-PKBKCIJ-G46CUBK-54EVLBP Follow the instructions on the server.

URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-fpcelmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EJ23DKV-3ULGU5C-DZKZNYN-FMGPYLO-5BBNB3V-3F6GKAV-LOV7G37-WEGG74F VBH25TC-AHM5SXN-JSBJO64-NF56BJF-WHOYQDY-EODMLAC-ZNDKZYW-6LL5AAX SI4XGSP-NXCK3IW-I6LRE3U-JNXHAZD-HHIATDD-DSBKCIJ-G46CUBK-54EFHIQ Follow the instructions on the server.

URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 1 IoCs

pid	Process
1048	pcrcyge.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConfirmSend.RAW.fpcelmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConnectSave.CRW.fpcelmn	svchost.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-fpcelmn.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-fpcelmn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-fpcelmn.bmp	svchost.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1196	9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe
1048	pcrcyge.exe
1048	pcrcyge.exe
1048	pcrcyge.exe
1048	pcrcyge.exe
1048	pcrcyge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	pcrcyge.exe
Token: SeDebugPrivilege	1048	pcrcyge.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1048	980	taskeng.exe	28
PID 980 wrote to memory of 1048	980	taskeng.exe	28
PID 980 wrote to memory of 1048	980	taskeng.exe	28
PID 980 wrote to memory of 1048	980	taskeng.exe	28
PID 1048 wrote to memory of 580	1048	pcrcyge.exe	21
PID 1048 wrote to memory of 1388	1048	pcrcyge.exe	11
PID 580 wrote to memory of 1232	580	svchost.exe	29
PID 580 wrote to memory of 1232	580	svchost.exe	29
PID 580 wrote to memory of 1232	580	svchost.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
PID:1388
- C:\Users\Admin\AppData\Local\Temp\9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe
  "C:\Users\Admin\AppData\Local\Temp\9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1232

C:\Windows\system32\taskeng.exe
taskeng.exe {E1C49DCA-2FD0-4029-B638-15B188CDE006} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
  C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\aubdarb

Filesize
654B

MD5
4cbf9a5efe7df62017c28ef4e4a248e8

SHA1
50851a02dba65bc1bf6672c4a5c455ba9ba49254

SHA256
a6991af3f085474f0110658ca8ff75842b3ae76a833a87f51fc7b34966c3dbb0

SHA512
1d5d588ea7ccbc2c96cced756b3d7d3b254206b0fa458fcb185cc2f9ca088aa744bea9456a1ef98d8413373b1a480c8d1a12dc54bb4ce2c2e52ed2b46d39df30

Download Submit
C:\ProgramData\Microsoft Help\aubdarb

Filesize
654B

MD5
d7b51fd436e2e6e8f7d987838ce2340f

SHA1
5eab9886b8004651d2865a2bf6f56c66e22c7f0f

SHA256
32875dd352f9f83cb84aa137ade232fe70444c0654504496e1836a1e1a21007a

SHA512
72c3aeb400aa76eaaf666852accc97681dba19f0eacfef69ea281938c58c6c2804a94f31215e40271c437f2df7dfc8d31790e57402086f36e18b01e1e4665b5b

Download Submit
C:\ProgramData\Microsoft Help\aubdarb

Filesize
654B

MD5
5477b8306b9357b5af6904be52c981a8

SHA1
1fd10eab62a6cf97dae80aed6b7e94eef6e074d7

SHA256
0415e91950861bf8138a6731d4f7964f76425b0538d06ce13df6399d732f5010

SHA512
b8923585be16c2c7fdeff23e0d38f93ec4afb770934b2b3de882a2d3ed1baf10246456ebff43d6f2e48bf9cd20d5e5094503581339d908430524764f86619cef

Download Submit
C:\ProgramData\Microsoft Help\aubdarb

Filesize
654B

MD5
5477b8306b9357b5af6904be52c981a8

SHA1
1fd10eab62a6cf97dae80aed6b7e94eef6e074d7

SHA256
0415e91950861bf8138a6731d4f7964f76425b0538d06ce13df6399d732f5010

SHA512
b8923585be16c2c7fdeff23e0d38f93ec4afb770934b2b3de882a2d3ed1baf10246456ebff43d6f2e48bf9cd20d5e5094503581339d908430524764f86619cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe

Filesize
742KB

MD5
39c0e005cd2892a7b315081f9db6dc37

SHA1
e9c2dda548ca0f53939d8bbf9228a92977964341

SHA256
9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

SHA512
e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe

Filesize
742KB

MD5
39c0e005cd2892a7b315081f9db6dc37

SHA1
e9c2dda548ca0f53939d8bbf9228a92977964341

SHA256
9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

SHA512
e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

Download Submit
C:\Users\Admin\Desktop\CheckpointOut.DOC.fpcelmn

Filesize
251KB

MD5
2685c244ba4fc2cc33e12cf6b84f888c

SHA1
4692b0cbd74aa005324ff60c9de6383622024164

SHA256
ae841accdfff2e067da94edf1ebd98b0cbc3a1ce0a45462fe319f761eb446f84

SHA512
05c45791574d6e861f31bf58b072f57662a368eaf5cdfab79e9c55e7eba589d7dc2709e9648d592248eb08bbeaaab4ccffb59f8e999d90b146cf268da6f52daa

Download Submit
C:\Users\Admin\Desktop\ProtectPush.RTF.fpcelmn

Filesize
302KB

MD5
510da0301f42ed61df45833a65db1ab7

SHA1
0e28bea33d82b5e6231210805cc5a4a217299453

SHA256
09adbf7a7c444435544bdaa8e5f8dedd8f217ed4585effff0859fb577cf8b1d2

SHA512
7051ae6ce6ff73b1f02616c8ea9ccb6432b3b66125d1777bc12a505624c5d3871d6eb923f9210eae49d629fc5e1fd4b1fc9844bec732a8333948625b251443c8

Download Submit
C:\Users\Admin\Desktop\RestartDebug.RAR.fpcelmn

Filesize
149KB

MD5
bd143788b117b30663cb89e310240840

SHA1
0380f3ad6037fe939f2a369596458937156c4773

SHA256
99f21c40ffc9023dce3649113d9345437f8da87bf8712a146185d5f5ca09876c

SHA512
bdc4d3bfe11642198dd81aa573fa06cc3067d090f1735d37472301e907c03a9b0013048da54485a948ab8a5338c30d893878845935db9ef87f0d612b86f89535

Download Submit
C:\Users\Admin\Desktop\WriteRemove.ODP.fpcelmn

Filesize
234KB

MD5
49d7ae8d1010aa002966ac635cf5c743

SHA1
eb925c66db8edca39c77702293be2e4721dd9ebf

SHA256
871af1992857e339bd7a7196f9d9734f2e791bc9d417ae04c0ed92d09e8d8dd8

SHA512
6f11d153a70034830d2b547c45a5f0f45a8e0e79beab0aca65c512b39d7869ccdc03e0b9ecabf17427927ddce80e58451d8cdca22bfa056f264cedfd145b95d2

Download Submit
memory/580-67-0x0000000000550000-0x00000000005C7000-memory.dmp

Filesize
476KB

Download
memory/580-72-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/580-69-0x0000000000550000-0x00000000005C7000-memory.dmp

Filesize
476KB

Download
memory/1048-66-0x0000000000FF0000-0x000000000123B000-memory.dmp

Filesize
2.3MB

Download
memory/1196-58-0x00000000023F0000-0x000000000263B000-memory.dmp

Filesize
2.3MB

Download
memory/1196-57-0x00000000021D0000-0x00000000023EA000-memory.dmp

Filesize
2.1MB

Download
memory/1196-55-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1196-56-0x0000000000401000-0x00000000004A5000-memory.dmp

Filesize
656KB

Download
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download